.

Java Zero DAy exploit

<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Tue Aug 28, 2012 1:29 pm

Java Zero DAy exploit

Hi All,

For anyone that does not know recently a java zero day was released.

http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html

http://pastie.org/4594319
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

shadowzero

User avatar

Full Member
Full Member

Posts: 120

Joined: Sat Jun 02, 2012 10:03 pm

Post Tue Aug 28, 2012 1:35 pm

Re: Java Zero DAy exploit

And it's already in Metasploit.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Aug 29, 2012 4:02 am

Re: Java Zero DAy exploit

Everything points to this being an interesting bug. Immunity have released a blog post indicating that there was actually two different 0-day bugs being exploited to achieve full compromise from the PoC:
There are 2 different zero-day vulnerabilities used in this exploit: one is used to obtain a reference to the sun.awt.SunToolkit class and the other is used to invoke the public getField method on that class.


shadowzero wrote:And it's already in Metasploit.
Available here

This bug may hang around for a while as there is evidence surfacing that the issue is reproducable in most JRE implementations.
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Wed Aug 29, 2012 1:29 pm

Re: Java Zero DAy exploit

Yep and is also included in new version of SET.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Wed Aug 29, 2012 6:28 pm

Re: Java Zero DAy exploit

played with the metasploit module last night briefly.  Tested against Windows 8 and Defender grabbed it.  Attempted to send it to Win7 and WinXPSP3 but kept getting an error on the victim.  Then got tired and went to sleep.
Certs: GCWN
(@)Dewser
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Aug 30, 2012 11:00 am

Re: Java Zero DAy exploit

I was able to get it working on my up-to-date Backtrack system. I obviously needed to install the official JRE7 package though.
The day you stop learning is the day you start becoming obsolete.
<<

S3curityM0nkey

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon May 16, 2011 6:47 pm

Post Thu Aug 30, 2012 9:11 pm

Re: Java Zero DAy exploit

<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Fri Aug 31, 2012 3:11 am

Re: Java Zero DAy exploit

I saw this last night on twitter time to get patching :P
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Sat Sep 01, 2012 2:54 am

Re: Java Zero DAy exploit

Here we go again: Critical flaw found in just-patched Java.

http://www.theregister.co.uk/2012/08/31 ... ched_java/
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Sun Sep 02, 2012 12:33 am

Re: Java Zero DAy exploit

metasploit has it
ICS Academy Network Security Certified
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Sun Sep 02, 2012 2:23 pm

Re: Java Zero DAy exploit

m0wgli wrote:Here we go again: Critical flaw found in just-patched Java.

http://www.theregister.co.uk/2012/08/31 ... ched_java/


Any more news on this find ?
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

S3curityM0nkey

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon May 16, 2011 6:47 pm

Post Sun Sep 02, 2012 10:03 pm

Re: Java Zero DAy exploit

Blackhole targeting Java vulnerability via fake Microsoft Services Agreement email phish:

https://isc.sans.edu/diary/Blackhole+ta ... hish/14020
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Mon Sep 03, 2012 3:56 am

Re: Java Zero DAy exploit

Got in this morning to find this.


We've updated the Microsoft Services Agreement, which governs many of our online services - including your Microsoft account and many of our online products and services for consumers, such as Hotmail, SkyDrive, Bing, MSN, Office.com, Windows Live Messenger, Windows Photo Gallery, Windows Movie Maker, Windows Mail Desktop, and Windows Writer. Please read over the new Microsoft Services Agreement here to familiarize yourself with the changes we've made.
The updated agreement will take effect on October 19, 2012. If you continue to use our services after October 19th, you agree to the terms of the new agreement or, of course you can cancel your service at any time.
We have modified the agreement to make it easier to read and understand, including using a question and answer format that we believe makes the terms much clearer. We also clarified how Microsoft uses your content to better protect consumers and improve our products, including aligning our usage to the way we're designing our cloud services to be highly integrated across many Microsoft products. We realize you may have personal conversations and store personal files using our products, and we want you to know that we prioritize your privacy.
Finally, we have added a binding arbitration clause and class action waiver that affects how disputes with Microsoft will be resolved in the United States.
Thank you for using Microsoft products and services!
________________________________________


Microsoft respects your privacy. Please read our online Privacy Statement.

Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu Sep 06, 2012 10:21 am

Re: Java Zero DAy exploit

From InfoWorld:


Security pros advise users to ditch Java

The 'write once, run anywhere' software platform has become a favorite of cyber attackers. Is it time for users to kill their Java?

Security firms are being none too gentle with Oracle's Java following the revelation this week that attackers are using two unpatched Java vulnerabilities to compromise selected targets. The most common advice: Uninstall the Java plug-in in your browser and don't use services that require the software.

On Monday, security firm FireEye revealed that a customer had been attacked with a previously unknown vulnerability. Yet Oracle already knew about the security issue and apparently had an update at the ready to be released on its regularly scheduled patch day in October. With reliable exploits for the vulnerabilities rapidly being adopted by security researchers and cyber criminals alike, the company rushed out a fix for the flaw on Thursday.

Overall, the incident has left a bitter taste in the collective mouths of many security professionals.

"I think there is a lot of sentiment toward not using Java at all if you can avoid it," says Stephen Cobb, security evangelist for antimalware firm ESET. "That is what I would say, and I'm not the first to say that, and I'm not alone in saying that."

Security firm Sophos is among the many to recommend that users turn off the Java plug-in within the browser. And the U.S. Computer Emergency Readiness Team (CERT), the response agency for the U.S. government, offered advice for system administrators that boiled down to "remove Java plug-ins." In April, InfoWorld covered the backlash against Java in the wake of the infection of more than 600,000 Mac computers by the Flashback Trojan and pointed out why removing Java infrastructure is not an option for many enterprises.

While Oracle is not to blame for malicious actors using Java, the company needs to clarify its commitment to securing the platform, argues ESET's Cobb.

An analysis of the flaws found that Oracle introduced the issues into Java 7 a year ago and warned that while it was found recently, cyber criminals and intellectual-property thieves had likely been using the attack for months.



For full article:
http://www.infoworld.com/t/web-security ... ava-201457

Don
CISSP, MCSE, CSTA, Security+ SME
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Fri Sep 07, 2012 3:14 am

Re: Java Zero DAy exploit

To Ditch Java I think is very hard for any business. As Java says itself its used everywhere from Tv to bank cards.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
Next

Return to News from the Outside World

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software