PC LOAD LETTER
11th January 2013, 04:36
Summary: http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
Analysis: http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
Exploit source: http://pastebin.com/raw.php?i=cUG2ayjh
Edit- Commented exploit source: https://gist.github.com/raw/4506143/cab304b17da3dc056d1181877f2154c972526e56/ExploitNotes.java
[/URL][URL="http://pastebin.com/raw.php?i=cUG2ayjh"] (http://pastebin.com/raw.php?i=cUG2ayjh)
Earlier this morning @Kafeine (https://twitter.com/kafeine) alerted us about a new Java zeroday being exploited in the wild (http://malware.dontneedcoffee.com/). With the files we were able to obtain we reproduced the exploit in a fully patched new installation of Java. As you can see below we tricked the malicious Java applet to execute the calc.exe in our lab.
The Java file is highly obfuscated but based on the quick analysis we did the exploit is probably bypassing certain security checks tricking the permissions of certain Java classes as we saw in CVE-2012-4681 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4681).
Right now the only way to protect your machine against this exploit is disabling the Java browser plugin (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/). Let’s see how long does it take for Oracle to release a patch.
On the other hand we expect a Metasploit module in the upcoming days as it has been happening during the last year as well as most of the exploit kits adopting this new zeroday sooner than later.
We will keep you updated as we obtain more information. Be safe!
Update: It seems both Blackhole and Nuclear Pack exploit kits are using this vulnerability in the wild
Analysis: http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
Exploit source: http://pastebin.com/raw.php?i=cUG2ayjh
Edit- Commented exploit source: https://gist.github.com/raw/4506143/cab304b17da3dc056d1181877f2154c972526e56/ExploitNotes.java
[/URL][URL="http://pastebin.com/raw.php?i=cUG2ayjh"] (http://pastebin.com/raw.php?i=cUG2ayjh)
Earlier this morning @Kafeine (https://twitter.com/kafeine) alerted us about a new Java zeroday being exploited in the wild (http://malware.dontneedcoffee.com/). With the files we were able to obtain we reproduced the exploit in a fully patched new installation of Java. As you can see below we tricked the malicious Java applet to execute the calc.exe in our lab.
The Java file is highly obfuscated but based on the quick analysis we did the exploit is probably bypassing certain security checks tricking the permissions of certain Java classes as we saw in CVE-2012-4681 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4681).
Right now the only way to protect your machine against this exploit is disabling the Java browser plugin (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/). Let’s see how long does it take for Oracle to release a patch.
On the other hand we expect a Metasploit module in the upcoming days as it has been happening during the last year as well as most of the exploit kits adopting this new zeroday sooner than later.
We will keep you updated as we obtain more information. Be safe!
Update: It seems both Blackhole and Nuclear Pack exploit kits are using this vulnerability in the wild