Yara Detection for Java Applet JMX Remote Code Execution (CVE-2013-0422)
Posted: January 12th, 2013 | Author: xanda | Filed under: IT Related | Tags: 0day, CVE-2013-0422, java, yara | 3 Comments »Hi
It’s a bit to late for me to write this, but at least CVE-2013-0422 is no longer a secret.. and yes I can share some yara rule for this
Anyway, thanks to @kafeine for the disclosure and thanks to Immunity for a very good write up.
So here you go:
rule CVE_2013_0422 { meta: description = "Java Applet JMX Remote Code Execution" cve = "CVE-2013-0422" ref = "http://pastebin.com/JVedyrCe" author = "adnan.shukor@gmail.com" date = "12-Jan-2013" version = "1" impact = 4 hide = false strings: $0422_1 = "com/sun/jmx/mbeanserver/JmxMBeanServer" fullword $0422_2 = "com/sun/jmx/mbeanserver/JmxMBeanServerBuilder" fullword $0422_3 = "com/sun/jmx/mbeanserver/MBeanInstantiator" fullword $0422_4 = "findClass" fullword $0422_5 = "publicLookup" fullword $class = /sun\.org\.mozilla\.javascript\.internal\.(Context|GeneratedClassLoader)/ fullword condition: (all of ($0422_*)) or (all of them) } |
Kindly leave comment I you find ways to improvement this rule. Obfuscation? yeah of course can be used to bypassed this rule as well 😉
Thanks
P/S: MyYaraSIG members should have receive this rule/update earlier today. Just git pull everyone 🙂
How can someone get signed up to your MyYaraSIG group?
As for not it is not yet ready to become an open group
Everybody speaks of the exploit but, there is hardly any information on what to do about it. Thanks a lot for providing a yara rule for the vulnerability.