Another exploit that has to do with the Java SE is affecting end users and allows attackers to distribute malware and to obtain remote shells.The people behind Metasploit Framework have created a module based on partial code of this exploit.
According to Microsoft ”the vulnerability exploits a flaw in the deserialization of “AtomicReferenceArray” objects, which allows remote attackers to call system level Java functions via the ClassLoader of a constructor that is being deserialized without proper sandboxing.”
In this article we will see how we can use that exploit in order to attack a remote system.
We are opening the Metasploit Framework and we are searching for the java_atomicreferencearray exploit.
We will use that exploit in order to test it against a machine that has installed the Java SE version 6 update 30.
While executing the show options command in order to see the available options and settings we saw two things.First that the default port that the exploit will listen is 8080 and the URI path is blank.If we want to use this exploit on a real penetration test against our clients employees,it would be a good practice to change the port to 80 and the URI path to / in order not to create any suspicious when we will send the link to them.Leaving the URI path to blank it will create a random path that it would not look legitimate so our test may fail.So we are giving the following settings to the exploit:
As a payload we will use a Java command Shell and we will set our IP address:
We have done a last check with the show options command in order to check if the settings of the payload are properly configured:
Now it is time to run the exploit.As we can see from the image below the exploit will start a reverse handler to our machine and it will wait for anyone that will connect to our machine through our http server.
If someone tries to connect to our http server the exploit will executed and it will return a shell to us if the victim is having a vulnerable version of Java.Alternatively an attacker could use a popular website in order to redirect the users through iFrames to a new webpage where the exploit will executed.
Affected Java Software
- versions 7 update 2,
- versions 6 update 30 and
- versions 5 update 33
This vulnerability exists because the AtomicReferenceArray class is not checking properly whether the array is an appropriate object type.Most of the attackers are using this exploit in order to distribute malware to victim machines.Until now this type of attack can be detected only by two antivirus McAfee and NOD32 and affects various platforms from Windows to Linux and MacOS X so you need to patch your Java runtime environment in order to protect your systems from this attack.
And how would you remotely identify the running Java version?
Good point.You cannot determine it that remotely.Attackers are just using other websites in order to redirect the traffic to a new page and they are hoping that some of the users will run vulnerable versions of the JRE in order to exploit them.That’s why they are choosing websites that have high traffic.In a White-box testing maybe you will have that information if there is inside the scope.
That’s what I thought. You can probably infer by accessing other available services. If any java apps are running via http, you can assume it has SOME version of Java. but also never heard of any way to remotely fingerprinting Java versions.:)
They actually use plugin detect and redirect depending on whether they’re running a vulnerable versions of java, flash, adobe reader.
When trying to execute under metasploit I get an error that CVE-2012-0507.jar is missing. What am I doing wrong?
Probably you haven’t update your metasploit framework.
Actually I did update it… What seems to be the problem?
If you are using Backtrack5 R2 stop the Apache Server first and then try to run the exploit.Also have a look at the directory /opt/metasploit/msf3/data/exploits to see if the CVE-2012-0507.jar exists.If for some reason the .jar file is not there I can upload it to a hosting site to take it and to put it to the exploit folder.Let us know what happened.
i update it and executed under metasploit framework, works fine for me.. 🙂