New 0-day vulnerability in Java JRE 1.7.0 Update 15 and 1.6.0 Update 41 is being exploited in the wild

Date:01.03.13 Author:Jan Henrik S.

New Java 0-day vulnerability in the wild.

On Thursday February 28th, the American IT security vendor FireEye published a blog post describing in-the-wild exploitation of a new 0-day vulnerability affecting Java Run-time Environment (JRE) 1.7.0 Update 15 and 1.6.0 Update 41. The discovery comes less than two weeks after the release of Oracle’s Java CPU Special Update on February 19th.

 

Technical details

Unlike previous Java vulnerabilities that could have been mitigated by enabling security controls in the software, this vulnerability can be exploited to read and write memory controlled by the Java Virtual Machine (JVM) process.

 

Upon exploitation of the vulnerability, the attack code searches for parts of the memory that contains the JVM internal data structure and overwrites the containing memory chunk as zero. However, the blog post does not make it clear whether the memory is overwritten with the value “0”, or if a null pointer is set.

 

After successful exploitation, CVE-2013-1493, malware named Mc Remote Access Tool - McRAT (MD5: 4d519bf53a8217adc4c15d15f0815993) is installed. According to VirusTotal, the current detection ratio for this malware is 21/46.

 

According to FireEye, the exploit is “not very reliable”, as it attempts to overwrite a large part of memory. This implies that while an exploit may download the payload, it might fail to execute properly, crashing the JVM.

 

A successful exploit will generate the following HTTP command and control traffic pattern:

POST /59788582 HTTP/1.0
Content-Length: 44 
Accept: text/html,application/xhtml+xml,application/xml,*/* 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) 
Host: 110.XXX.55.187 [REDACTED BY FIREEYE]
Pragma: no-cache 

4PdWXOD3Vlzg91Zc4PdWXOD3Vlzg91Zc4PdWXMP1RXw.

 

McRAT will write a copy of itself as a DLL-file to the following path:

C:\Documents and Settings\admin\AppMgmt.dll

 

Furthermore, it will make the following registry modifications:

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\"ServiceDll" = C:\Documents and Settings\admin\AppMgmt.dll 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\"ServiceDll" = %SystemRoot%\System32\appmgmts.dll

 

Consequences

This vulnerability enables the exploitation of all clients with Java JRE 1.7.0 Update 15 and 1.6.0 Update 41.

 

This is critical because version Java JRE 1.7.0 Update 15 is the current version, and Java JRE 1.6.0 reached a so-called end-of-life status in February, meaning the product will no longer receive security updates.

 

Our recommendation

Our recommendation is to disable Java in the browser until a patch is available.

 

Alternatively, we recommend to set Java security settings to “High”, not allowing execution of unknown Java applets from outside your organization.

 

Furthermore, we recommend removing Java JRE 1.6.0 completely, pending the release of the next Java JRE 1.7.0 update.

 

mnemonic recommends that clients compromised through this vulnerability are isolated and re-installed/re-imaged. Unless you suspect this to be part of a targeted attack, in which case we recommend a more thorough investigation of the infected client and the incident as a whole.

 

Customers with security monitoring from mnemonic

mnemonic security monitoring customers are already protected by correlation signatures which targets the implementation of the exploit in the exploit kits, rather than the exploit itself.

 

More information:

http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html

https://www.virustotal.com/en/file/c5bdf8572d3fe3c110e3c56ebd2433169ea968818ec811faf72b322d9bcf94b8/analysis/

Tags:  TI Pulse

Send your comments on this article to blogcomment@mnemonic.no


Jan Henrik Straumsheim Consultant 415 26 290