RSS

Java Exploit Attack (CVE-2012-0507)

30 Mar

Another exploit that has to do with the Java SE is affecting end users and allows attackers to distribute malware and to obtain remote shells.The people behind Metasploit Framework have created a module based on partial code of this exploit.

According to Microsoft ”the vulnerability exploits a flaw in the deserialization of “AtomicReferenceArray” objects, which allows remote attackers to call system level Java functions via the ClassLoader of a constructor that is being deserialized without proper sandboxing.”

In this article we will see how we can use that exploit in order to attack a remote system.

We are opening the Metasploit Framework and we are searching for the java_atomicreferencearray exploit.

Search for Java Atomic Reference Array Exploit

 

We will use that exploit in order to test it against a machine that has installed the Java SE version 6 update 30.

Options for the Java Exploit

 

While executing the show options command in order to see the available options and settings we saw two things.First that the default port that the exploit will listen is 8080 and the URI path is blank.If we want to use this exploit on a real penetration test against our clients employees,it would be a good practice to change  the port to 80 and the URI path to / in order not to create any suspicious when we will send the link to them.Leaving the URI path to blank it will create a random path that it would not look legitimate so our test may fail.So we are giving the following settings to the exploit:

Java Exploit Settings and Payloads

 

As a payload we will use a Java command Shell and we will set our IP address:

Configuring the payload

 

We have done a last check with the show options command in order to check if the settings of the payload are properly configured:

Payload Options

 

Now it is time to run the exploit.As we can see from the image below the exploit will start a reverse handler to our machine and it will wait for anyone that will connect to our machine through our http server.

Execution of the Java Exploit

 

If someone tries to connect to our http server the exploit will executed and it will return a shell to us if the victim is having a vulnerable version of Java.Alternatively an attacker could use a popular website in order to redirect the users through iFrames to a new webpage where the exploit will executed.

Exploiting the Vulnerability

 

List the sessions that the Java Exploit opened

 

Affected Java Software

  • versions 7 update 2,
  • versions 6 update 30 and
  • versions 5 update 33

 

Conclusion

This vulnerability exists because the AtomicReferenceArray class is not checking properly whether the array is an appropriate object type.Most of the attackers are using this exploit in order to distribute malware to victim machines.Until now this type of attack can be detected only by two antivirus McAfee and NOD32 and affects various platforms from Windows to Linux and MacOS X so you need to patch your Java runtime environment in order to protect your systems from this attack.

References

http://www.securityfocus.com/bid/52161/info

http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit:Java/CVE-2012-0507.A

http://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp

About these ads
 
13 Comments

Posted by on March 30, 2012 in Exploitation Techniques

 

Tags: , , ,

13 responses to “Java Exploit Attack (CVE-2012-0507)

  1. Mario

    March 30, 2012 at 2:47 pm

    And how would you remotely identify the running Java version?

     
  2. netbiosX

    March 30, 2012 at 3:11 pm

    Good point.You cannot determine it that remotely.Attackers are just using other websites in order to redirect the traffic to a new page and they are hoping that some of the users will run vulnerable versions of the JRE in order to exploit them.That’s why they are choosing websites that have high traffic.In a White-box testing maybe you will have that information if there is inside the scope.

     
    • Mario

      March 30, 2012 at 3:13 pm

      That’s what I thought. You can probably infer by accessing other available services. If any java apps are running via http, you can assume it has SOME version of Java. but also never heard of any way to remotely fingerprinting Java versions.:)
      cheers

       
    • vidar

      January 2, 2013 at 9:26 am

      They actually use plugin detect and redirect depending on whether they’re running a vulnerable versions of java, flash, adobe reader.

      http://www.pinlady.net/PluginDetect/

       
  3. Oren Me

    April 3, 2012 at 3:06 pm

    Hello,

    When trying to execute under metasploit I get an error that CVE-2012-0507.jar is missing. What am I doing wrong?

     
  4. netbiosX

    April 3, 2012 at 3:15 pm

    Probably you haven’t update your metasploit framework.

     
    • Oren Me

      April 4, 2012 at 7:39 am

      Actually I did update it… What seems to be the problem?

       
  5. netbiosX

    April 5, 2012 at 2:54 am

    If you are using Backtrack5 R2 stop the Apache Server first and then try to run the exploit.Also have a look at the directory /opt/metasploit/msf3/data/exploits to see if the CVE-2012-0507.jar exists.If for some reason the .jar file is not there I can upload it to a hosting site to take it and to put it to the exploit folder.Let us know what happened.

     
  6. About Java

    December 26, 2012 at 12:50 pm

    i update it and executed under metasploit framework, works fine for me.. :)

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 676 other followers

%d bloggers like this: