Thursday, January 10, 2013

New Java 0-day - 1.7u10


Following 4 months of relative quiet from the Java front, today marks the appearance of the first 0day since CVE-2012-5088, which was patched by Oracle in October.

Preliminary reports from multiple vendors indicate this exploit shares some characteristics with CVE-2012-5088, according to Trustwave's SpiderLabs:
On top of using java.lang.invoke.MethodHandle.InvokeWithArguments() from CVE-2012-5088, the attacker smartly takes advantage of MBeanInstantiator in order to get a reference to a restricted class from a trusted caller (MBeanInstantiator is trusted). [http://blog.spiderlabs.com/2013/01/first-java-0day-for-the-year-2013.html]
Alienvault has released a screenshot of the exploit in action against a fully patched version of Java. Their conclusions mirror those of the preliminary findings from Trustwave: http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/

Brian Krebs reports that this exploit has already been included in Pauch's Blackhole and Cool Exploit Kits as well as the Nuclear Exploit Kit. The SANS ISC recommends disabling Java if possible. Fortunately, a feature to disable the browser plugin was conveniently rolled into Java 1.7u10.

For more information, including ISC's recommendation and primary sources, follow the link here http://isc.sans.edu/diary/Java+is+still+exploitable+and+is+likely+going+to+remain+so./14899

Update 1: Exploit code has been published here: http://pastebin.com/raw.php?i=cUG2ayjh

Update 2: CVE candidate has been added: CVE-2013-0422. The exploit has also been ported to Metasploit.

Update 3: Lightly Commented Exploit Code Sample

Click to Embiggen


No comments:

Post a Comment