Another exploit that has to do with the Java SE is affecting end users and allows attackers to distribute malware and to obtain remote shells.The people behind Metasploit Framework have created a module based on partial code of this exploit.

According to Microsoft ”the vulnerability exploits a flaw in the deserialization of “AtomicReferenceArray” objects, which allows remote attackers to call system level Java functions via the ClassLoader of a constructor that is being deserialized without proper sandboxing.”

In this article we will see how we can use that exploit in order to attack a remote system.

We are opening the Metasploit Framework and we are searching for the java_atomicreferencearray exploit.

Search for Java Atomic Reference Array Exploit

 

We will use that exploit in order to test it against a machine that has installed the Java SE version 6 update 30.

Options for the Java Exploit

 

While executing the show options command in order to see the available options and settings we saw two things.First that the default port that the exploit will listen is 8080 and the URI path is blank.If we want to use this exploit on a real penetration test against our clients employees,it would be a good practice to change  the port to 80 and the URI path to / in order not to create any suspicious when we will send the link to them.Leaving the URI path to blank it will create a random path that it would not look legitimate so our test may fail.So we are giving the following settings to the exploit:

Java Exploit Settings and Payloads

 

As a payload we will use a Java command Shell and we will set our IP address:

Configuring the payload

 

We have done a last check with the show options command in order to check if the settings of the payload are properly configured:

Payload Options

 

Now it is time to run the exploit.As we can see from the image below the exploit will start a reverse handler to our machine and it will wait for anyone that will connect to our machine through our http server.

Execution of the Java Exploit

 

If someone tries to connect to our http server the exploit will executed and it will return a shell to us if the victim is having a vulnerable version of Java.Alternatively an attacker could use a popular website in order to redirect the users through iFrames to a new webpage where the exploit will executed.

Exploiting the Vulnerability

 

List the sessions that the Java Exploit opened

 

Affected Java Software

  • versions 7 update 2,
  • versions 6 update 30 and
  • versions 5 update 33

 

Conclusion

This vulnerability exists because the AtomicReferenceArray class is not checking properly whether the array is an appropriate object type.Most of the attackers are using this exploit in order to distribute malware to victim machines.Until now this type of attack can be detected only by two antivirus McAfee and NOD32 and affects various platforms from Windows to Linux and MacOS X so you need to patch your Java runtime environment in order to protect your systems from this attack.

References

http://www.securityfocus.com/bid/52161/info

http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit:Java/CVE-2012-0507.A

http://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp