New Drive By Download exploits Latest Java Vulnerabilities

June 26, 2013

The Dell Sonicwall Threats Research team has found multiple drive-by-download attempts that leverage the underlying Java vulnerabilities and push corresponding malicious Java Applets. These Applets on successful exploitation download a malicious executable that dupes the user into believing that it is an AntiVirus. Specifically, the malware uses a couple of latest Java Vulnerabilities CVE-2013-0422, CVE-2013-2423 and exploits either one of them to get onto the user's system. Oracle has already patched these vulnerabilities which are described below.

  • CVE-2013-0422 : By constructing a malformed Applet that uses getMBeanInstantiator Method of JmxMBeanServer class, an attacker can achieve arbitrary code execution. The MBeanInstantiator allows the attacker to instantiate restricted classes which eventually converts the applet into a trusted one.
  • CVE-2013-2423 : An attacker can create a malformed Applet using MethodHandles Method and type confusion to switch off Java's security mechanism. Once a MethodHandle is obtained using findStaticSetter method, a static final field is allowed to be overwritten thereby causing type confusion.

Following are the sequence of events that lead to a drive-by-download :

User visits an infected webpage containing a malicious obfuscated JavaScript

The script tries to determine the vulnerable Java version.

Malicious applet exploiting CVE-2013-0422 is downloaded as per the first conditional check. Following are some excerpts from decompiled java class files that show the vulnerable Method, getMBeanInstantiator provided by Class, JmxMBeanServer.

Above, "ctrpq" function de-obfuscates the string to getMBeanInstantiator which is the vulnerable Method.

Same, "ctrpq" function gets the Class, com.sun.jmx.mbeanserver.JmxMBeanServer which provides the vulnerable Method.

Malicious applet exploiting CVE-2013-2423 is downloaded as per the second conditional check. Following are some of the decompiled Java instructions that employ vulnerable Method, MethodHandles which again is obfuscated.

We can see "eklaqkjz" function gets the string java.lang.invoke.MethodHandles.

A malicious exe is downloaded and executed after the exploit runs successfully.

The threat team has added following signatures to stop these attacks,

  • IPS: 9925 "Malformed Java Class File 2" covers CVE-2013-0422
  • IPS: 9926 "Malformed Java Class File 3" covers CVE-2013-2423
  • GAV: Kryptik.BCHO