Pages

Saturday, March 31, 2012

Java CVE-2012-0507 / CVE-2011-3521 (see update below) samples


Examples of referrers blacklisted
by Blackhole exploit kit



Blackhole exploit kit was updated to version 1.2.3 on March 25 and now includes exploit Java CVE-2012-0507. Brian Krebs posted the news in his New Java Attack Rolled into Exploit Packs

In addition, Exploit pack known as "Incognito" (there are rumors that Incognito development stopped after v.2 in 2011 and this is something else) and  Eleonore added CVE-2011-3521(? likely, see comments below) as well.

I will add "Incognito" version when I can.

This is just a quick post to share samples (kindly offered by 0Day.jp Hendrik Adrian) and found in the wild, and links to analysis that was already done for these or similar samples.



(CVE)number

CVE-2012-0507.
malicious Java applet stored within a Java archive (.JAR) that attempts to exploit a vulnerability in the Java Runtime Environment (JRE) up to and including versions 7 update 2, versions 6 update 30 and versions 5 update 33. The vulnerability is described in CVE-2012-0507.

CVE-2011-3521
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE, 7, 6 Update 27 and earlier, and 5.0 Update 31 earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deserialization.

CVE-2012-0506
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity via unknown vectors related to CORBA.

File information

1. BLACKHOLE CVE-2012-0507 with Kalihos.C spambot payload 

File: Pol.jar
Size: 14007
MD5:  82059548745AE4BCCC92E5D350480021

Blackhole exploit kit URL (thanks to Malwaredomainlist) 03bemiasar[.]info/main.php?page=06e22868cf88f397

Exploit and payload URLs (Other http://www.malwaredomainlist.com/mdl.php?search=astaror&colsearch=All&quantity=50)
2012/03/28_20:2703bemiasar.info/main.php?page=06e22868cf88f39787.120.41.191-Blackhole exploit kitWhoisGuard Protected / 927abed5f5ef4939af67ad475a1484b4.protect@whoisguard.com13147BG
2012/03/28_20:2703bemiasar.info/w.php?f=97d19&e=287.120.41.191-trojan downloaderWhoisGuard Protected / 927abed5f5ef4939af67ad475a1484b4.protect@whoisguard.com13147BG
2012/03/28_20:27yrultiq.eu/astaror.exe77.111.132.76ip-132-76-userpool.zalalovo.zelkanet.hu.trojanhostmaster@networking4all.com8462HU



2.  ELEONORE (possibly CVE-2012-0506  > v1.8.91 - Kahusecurity)
File: y.jar
Size: 32041
MD5:  08331A5C7564FD61A84EDEA7FBCF56FC

Update March 31, 2012
Michael Schierl told me that most likely it is NOT CVE-2012-0506 but CVE-2011-3521. I post his explanation below.

"Reason: The fix for -0506 is here

http://icedtea.classpath.org/hg/release/icedtea6-1.10/file/4e7a700d4ecc/patches/security/20120214/7110704.patch

and as you see the only change they were doing is making it impossible to mutate the __ids array by cloning it. Therefore an exploit that exploits it would need to, at some point, obtain a String array from a CORBA class (by directly or indirectly calling _ids) and modifying thevalue in there. In addition, I doubt you can use this vulnerability to execute arbitrary Java code outside the sandbox and/or disable the security manager. You may be able to use it to mess with other CORBA internals (CORBA has some special privileges wrt. to socket connections, like listening on privileged ports or connecting to any host), but no RCE.

In addition, the classes in the AX package look like they try to mirror the in-memory structure of privileged classes (AccessibleObject and Method), therefore making it probable they try to exploit a type confusion as required for exploiting CVE-2011-3521 (like in my article linked below).

HOWEVER, the 2011-3521 was fixed 4 months earlier than 2012-0506, so if you or anyone else has tested it on a release released in the meantime, and it could exploit it, it would mean that my theory is wrong and it must have been one of the other exploits from the February advisory.
For more details about CVE-2011-3521, you may see my article at http://schierlm.users.sourceforge.net/TypeConfusion.html

I've also posted a comment on that Kahu security article.
~ Michael Schierl


3. BLACKHOLE CVE-2012-0507 with GameOver Zeus payload 

File: Pol.jar
Size: 14765
MD5:  8E300391CB3011ED76390C021E20F728

4.
File: CVE2012-0507.jar
Size: 20090
MD5:  7D4644A06161FA476FE238C4E556E17A

Download

 Download Java files as a password protected archive (email me if you need the password)


Exploit Analysis details

82059548745AE4BCCC92E5D350480021 Pol. Jar - - by Hendrik Adrian

83a04bd183ecb9e2598da9b67417cd57bc9f14fa  - by Hendrik Adrian

Escalating Java Attacks by Darryl ( 08331A5C7564FD61A84EDEA7FBCF56FC) - Kahu Security


Microsoft An interesting case of JRE sandbox breach (CVE-2012-0507) - different sample


Incognito - Emerging threats signature by Eoin Miller 
Add ato to accomodate the latest exploit
GET /load.php?showforum=ato
Original signature
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Incognito exploit kit landing page";
flow:established,from_server; file_data; content:"<applet"; within:500;
content:"lxxt>33"; fast_pattern; flowbits:set,et.exploitkitlanding;
classtype:trojan-activity; sid:2014176; rev:3;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
CURRENT_EVENTS Incognito exploit kit payload request";
flow:established,to_server; content:"/load.php?showforum="; http_uri;
pcre:"/^\/load.php\?showforum=(obe|rhino|lib|)$/U";
classtype:trojan-activity; sid:2014177; rev:5;)


Atomatic Analysis links

 Virustotal
SHA256:     1dff76ab315e31ad0567d628186245fbc00987de6a7cec5d299116c670596d6b
SHA1:     f4c1470ae547cbf1e9a9ce3e020eda115f013faa
MD5:     8e300391cb3011ed76390c021e20f728
File size:     14.4 KB ( 14765 bytes )
File name:     Pol.jar
File type:     ZIP
Detection ratio:     16 / 42
Analysis date:     2012-03-31 05:14:19 UTC ( 1 day ago )
Antivirus     Result     Update
AhnLab-V3     Java/Blacole     20120330
BitDefender     Exploit.Java.CVE-2012-0507.F     20120331
CAT-QuickHeal     -     20120331
Comodo     UnclassifiedMalware     20120331
Emsisoft     Exploit.Java.Blacole!IK     20120331
F-Secure     Exploit.Java.CVE-2012-0507.F     20120331
GData     Exploit.Java.CVE-2012-0507.F     20120331
Ikarus     Exploit.Java.Blacole     20120331
Kaspersky     Exploit.Java.CVE-2012-0507.q     20120331
McAfee     JV/Exploit-Blacole.a     20120331
McAfee-GW-Edition     JV/Exploit-Blacole.a     20120330
Microsoft     Exploit:Java/Blacole.ET     20120330
NOD32     a variant of Java/Exploit.CVE-2012-0507.D     20120331
Sophos     Troj/Java-EA     20120331
SUPERAntiSpyware     -     20120329
Symantec     Trojan.Maljava     20120331
TrendMicro     JAVA_BLACOLE.JDR     20120331
TrendMicro-HouseCall     JAVA_BLACOLE.JDR     20120331


Virustotal
SHA256:     d34a18ce96afa97e4e1de5bfb00b953b547c7dad84acf35e1969518447eda152
SHA1:     83a04bd183ecb9e2598da9b67417cd57bc9f14fa
MD5:     08331a5c7564fd61a84edea7fbcf56fc
File size:     31.3 KB ( 32041 bytes )
File name:     CVE-2012-0506_Eleonore__y_08331A5C7564FD61A84EDEA7FBCF56FC.jar
File type:     JAR
Detection ratio:     2 / 42
Kaspersky     Exploit.Java.CVE-2012-0507.r     20120331
Symantec     Trojan.Maljava     20120331

3 comments:

  1. Hello,
    Typo: 2013-0506

    Incorrect line:
    VirusBuster - 20120330CVE-2012-0507.D 20120330
    SUPERAntiSpyware is in the list and wasn't detecting it, BitDefender is missing from the list and it was detecting it.

    ReplyDelete
  2. Saw and read all the references written here.
    Can't say much, too many "grey" zone. So below is just some comments:

    1. The exploit code PoC / Shellcode / ASM code of the CVE-2012-0506 is badly needed.
    Still mitre is currently under review regardingly.
    Cobra was a vector used by this exploit, to break JRE privileges which is the bottom line
    of CVE-2012-0506 attack, some malware directly importing Cobra classes to feed it w/strings
    to overflow the stack, what should this to be called then?
    Why suddenly has to be merged with CVE-2011-3521? So what is the purpose Mitre releasing
    CVE-2012-0506? Just don't get it.

    2. CVE-2011-3521(under review) & CVE-2012-0507 has the same JVM target. Yet has to be a slight
    differences. Since I examine PoC of CVE-2012-0507 clear enough, yet not finding solid
    CVE-2011-3521 PoC. No further comment.

    3. The vulnerability talk. These 2(three)exploitation's fixs already released.
    Yet the vector is still in greyzone, was someone even confirming that the released
    patch REALLY fix the flaw? AFAIK, we got many "under review" CVE's and two are w/o PoC.

    No offense guys, just need a solid clarification, with respect.

    Best regards,

    Hendrik ADRIAN

    ReplyDelete
  3. Just put the log dumps upon exploit reproduction using malware file y.jar in virus total here:
    https://www.virustotal.com/file/d34a18ce96afa97e4e1de5bfb00b953b547c7dad84acf35e1969518447eda152/analysis/
    Only this that I can grab.
    I will use this RAT for other tests so don't hope for me to save the logs.
    I hope other researchers also share their dumps.I really hate to admit that malware makers know better about the JRE flaws..

    If I made mistakes pls knocked me out via twitter @unixfreaxjp

    ReplyDelete