Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Java Exploits. Show all posts

Critical Security Bug Detected in Java Template Framework Pebble

 

The vulnerability in Pebble, a Java templating engine could allow a hacker to circumvent its security safeguards and launch command injection assaults against host servers.  

Pebble Templates is primarily used to generate HTML text output but it can also employ to design CSS, XML, JS, etc. The templates are convenient because of their user-friendly web application templating system, internationalization capabilities, and security features like auto-escaping and a block-list method access validator that thwarts command execution assaults. 

However, a threat analyst at GitHub has identified that with the right code and template files, Pebble’s command execution defense can be bypassed easily. 

Circumventing Pebble Security 

The bypassing technology can work effectively when Pebble is utilized in combination with Spring, a well-known Java application framework. Multiple Spring classes are registered as beans, allowing them to be dynamically installed at runtime. The hacker can install one of the Spring objects that supports class loading by exploiting the Java beans engine. 

Subsequently, the malicious hacker can employ Jackson, a data-parsing library, to read an XML file containing the details of a class to instantiate and a function to operate. This allows a threat actor a window to execute arbitrary code on the host server. 

As a proof of concept, the security analyst installed an XML file from the internet employing a Pebble template, then instantiated a Java class that supported implementing server-side system commands. 

No easy solution yet 

The security bug report has sparked conversation among GitHub researchers. Due to the vulnerability’s CVE designation, business systems that rely on the latest version of Pebble are receiving security alerts.

The maintainers are working on a fix, but since it is a community-driven project, it remains unclear when it will be published. The developers have issued a few temporary workarounds to safeguard projects in the interim. 

It is worth noting that to exploit the bug, an attacker would need to have a way to upload a malicious Pebble template on the server. Hence, organizations must enhance security checks on user-provided content and limit template uploads. Businesses can also employ sanitization techniques to spot and mitigate malicious content before using it in the template.

Disable Java in your browsers, if installed as researchers spotted new Java based Zero-day Exploit


Researchers from Trend Micro have found out suspicious URLs that hosted a newly discovered Zero-day exploit, which refers to a hole in software that is exploited by hackers before the vendor becomes aware of it, in Java.

Brooks Li, a threat analyst and Feike Hacquebord, a senior threat researcher, who spotted this exploit, said that this was the first time in nearly two years that a new Java zero-day vulnerability was reported.

The researchers came to know about this exploit after receiving a feedback in their  Smart Protection Network.

According to the report, this new zero-day Java Exploit is being used in spear-phishing attacks targeting a certain forces of NATO country and a US Defence Organization
This zero-day bug affects only the latest Java version 1.8.0.45 not the older versions, Java 1.6 and 1.7.
The vulnerability is still not patched by the company concerned.

According to the report, the URLs hosting the new Java zero-day exploit are similar to the URLs seen in the attack launched by the threat actors behind Pawn Storm that targeted North Atlantic Treaty Organization (NATO) members and White House last April 2015.

The researchers have asked the users to disable Java in browsers if installed due to an application.

Java Bot, a cross-platform malware capable of running on Windows, Mac and Linux


Security researchers at Kaspersky has came across a cross-platform malware which is capable of running on Windows, Mac and Linux.

The malware is completely written in Java.  Even the exploit used for delivering the malware is also well-known Java exploit(CVE-2013-2465) which makes the campaign completely cross-platform.

Once the bot has infected a system, it copies itself into user's home directory as well as add itself to the autostart programs list to ensure it gets executed whenever user reboots the system.

Once the configuration is done, the malware generates an unique identifier and informs its master.  Cyber criminals later communicates with this bot through IRC protocol.

The main purpose of this bot is appeared to be participate in Distributed-denial-of-service(DDOS) attacks.  Attacker can instruct the bot to attack a specific address and specify a duration for the attack.

The malware uses few techniques to make the malware analysis and detection more difficult.  It uses the Zelix Klassmaster obfuscator.  This obfuscator  not only obfuscate the byte code but also encrypts string constants.

All machines running Java 7 update 21 and earlier versions are likely to be vulnerable to this attack.

Cyber criminals inject malicious java applet into Trading FOREX site


A FOREX Trading website was injected with a malicious java applet that is designed to drop the malware file on visitors system.

A Popular FOREX (foreign exchange market) website called "Trading Forex" (tradingforex.com) has been infected by the malware, according to WebSense report.

malicious java
Injected applet code

The dropped backdoor from the Trading Forex website is written in Visual Basic.Net and requires the Microsoft's .NET framework to be successfully installed and operational on a victim's computer. It seems like hacker target only those who use .NET framework or they only know .NET coding?!

It is not usual Java exploit Jar . It is simple Java file that loads an exe file hosted in the malware site.

"Basically the Java code is just another Java loader which requires user interaction to successfully load the binary file '123.exe'. One interesting point in the screenshot above is that we can also see in the MANIFEST-INF that the Java applet has been signed with a certificate." Researcher said.

Yet Another Java vulnerability discovered, bypass the sandbox

java vulnerability

This is bad news for Java users. The Polish security researcher Adam Gowdiak has found yet another vulnerability in Java that can completely bypass the security sandbox implemented in several versions of the program.The good news is that so far, there's no exploit code circulating--yet.

According to researcher Java versions SE 5, 6, and 7 are affected. He gave details of the discovery in a posting to the Full Disclosure mailing list.

Using the hole, Gowdiak has been able to create a Java applet which, when running in the browser, can run with the user's privileges and then place malicious code on the system and execute it.

"We hope that a news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not going spoil the taste of [Oracle CEO] Larry Ellison's morning java," Gowdiak joked.

The researcher has already confidentially sent information about the hole to Java maker Oracle, along with proof-of-concept code.

CVE-2012-4681 : New zero-day Java Exploit added to Blackhole Exploit kit


As we expected , The Cyber criminals have added the New zero-day java exploit to the BlackHole Exploit kit.

According to a post of Paunch, the Blackhole creator, the actual java 0 day (CVE-2012-4681) is available for Blackhole owner since yesterday evening.

"ATTENTION! Added 0day Java exploit to knock for new clothes, breaking is cool ... competitors - Tightens)))" He said(translated).

The exploited vulnerability exists in all versions of Java 7, and can be used to exploit not just Windows, but also Apple OS X and Linux systems

As there is no patch from Oracle, the only solution to protect you from this attack is disabling the Java.

Update: The exploit has been included in other exploit kits includeing redkit,sakura kits.

[POC] Source code for the New 0-day Java Exploit is available


Security Researchers from FireEye have reported that a new Zero-day Java vulnerability is currently being exploited in a wild. The most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable.

Initially , Researchers discovered that this exploit hosted on named ok.XXX4.net. Currently this domain is resolving to an IP address in China.

A successful exploit attempt can result in a dropper (Dropper.MsPMs) getting installed on infected systems. The dropper executable is located on the same server.(http://ok.XXX4.net/meeting/hi.exe)

The Dropper.MsPMs connects to C&C domain hello.icon.pk which is currently resolving to an IP address 223.25.233.244 located in Singapore.

POC:
Metasploit researchers has developed a metasploit module that exploit this latest vulnerability and the source code is available in public(http://pastie.org/4594319). 

Researchers successfully exploit a fully patched Windows 7 SP1 with Java 7 Update 6.They  have also tested the module against the following environments:

  • Mozilla Firefox on Ubuntu Linux 10.04
  • Internet Explorer / Mozilla Firefox / Chrome on Windows XP
  • Internet Explorer / Mozilla Firefox on Windows Vista
  • Internet Explorer / Mozilla Firefox on Windows 7
  • Safar on OS X 10.7.4

While this is in the wild, this is not being widely used at this time.  What is more worrisome is the potential for this to be used by other malware developers in the near future. I believe that this exploit will soon be rolled into the BlackHole exploit kit.

Java users should take this problem seriously, because there is currently no patch from Oracle. We recommend users to either unplug Java from your browser or uninstall it from your computer completely.

Nepalese Government Sites hacked and serves Zegost RAT

Nepalese Government Sites exploits java vulnerability and infects users system with Zegost malware 

Researchers have detected that two Nepalese government websites, the National Information Technology Center (NITC) and the Office of the Prime Minister and Council Minister (nitc.gov.np and opmcm.gov.np respectively), have been compromised and serves Zegost(Gh0st RAT) malware.

The site injected with malicious code that tries to exploit the Java vulnerability CVE-2012-0507. After successul exploitation, it will infect the visitor system with the Zegost.

Interestingly, the binary installed on infected machines as part of the attack is signed by a valid certificate issued by VeriSign.

"The main page was injected with a Java JAR file loader which once rendered by the Web browser is executed and attempts to exploit the CVE-2012-0507 vulnerability. The name used for the Java class name ("msf.x.Exploit.class") and the content of the file confirmed that the code was taken from the Metasploit framework" Gianluca Giuliani of Websense said in an analysis of the attack.

"If the exploit code in the JAR file has been successfully executed, the exploit shellcode downloads and runs the executable file named "tools.exe" on the impacted system (MD5: 3c7b7124f84cc4d29aa067eca6110e2f),"

Zegost is a known Remote-Administration Tool(RAT) that's been used in other targeted attacks, specifically in Asia. Once on an infected machine, the backdoor used in the attack on the Nepalese sites initiates an outbound connection to a C&C server hosted on a domain in China at "who.xhhow4.com".


That same Java vulnerability was used in attacks earlier this year on Amnesty International and the Institute for National Security Studies in Israel, Websense said.