Xanda's Blog !~!

Yara Detection for Java Applet JMX Remote Code Execution (CVE-2013-0422)


It’s a bit to late for me to write this, but at least CVE-2013-0422 is no longer a secret.. and yes I can share some yara rule for this

Anyway, thanks to @kafeine for the disclosure and thanks to Immunity for a very good write up.

So here you go:

rule CVE_2013_0422
                description = "Java Applet JMX Remote Code Execution"
                cve = "CVE-2013-0422"
                ref = "http://pastebin.com/JVedyrCe"
                author = "adnan.shukor@gmail.com"
                date = "12-Jan-2013"
                version = "1"
                impact = 4
                hide = false
                $0422_1 = "com/sun/jmx/mbeanserver/JmxMBeanServer" fullword
                $0422_2 = "com/sun/jmx/mbeanserver/JmxMBeanServerBuilder" fullword
                $0422_3 = "com/sun/jmx/mbeanserver/MBeanInstantiator" fullword
                $0422_4 = "findClass" fullword
                $0422_5 = "publicLookup" fullword
                $class = /sun\.org\.mozilla\.javascript\.internal\.(Context|GeneratedClassLoader)/ fullword 
                (all of ($0422_*)) or (all of them)

Kindly leave comment I you find ways to improvement this rule. Obfuscation? yeah of course can be used to bypassed this rule as well 😉


P/S: MyYaraSIG members should have receive this rule/update earlier today. Just git pull everyone 🙂

Yara Rule for Safari window.parent.close()

rule SafariWindowParentClose
      ref = "Safari window.parent.close()"
      impact = 7
      $SafariWindowParentClose_1 = /.*?.prompt\(alert\)/
      $SafariWindowParentClose_2 = /.*?.prompt\(.*?\)/
      $SafariWindowParentClose_3 = /.*?.close\(\)/
      all of them

Safari 0day

I love the smell of Safari 0day in the morning 🙂

Yara Rule For CVE-2010-0886 & CVE-2010-0887

rule JavaDeploymentToolkit
      ref = "CVE-2010-0887"
      impact = 7
      $cve20100887_1 = "CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA" nocase fullword
      $cve20100887_2 = "document.createElement(\"OBJECT\")" nocase fullword
      $cve20100887_3 = "application/npruntime-scriptable-plugin;deploymenttoolkit" nocase fullword
      $cve20100887_4 = "application/java-deployment-toolkit" nocase fullword
      $cve20100887_5 = "document.body.appendChild(" nocase fullword
      $cve20100887_6 = /.*?.launch\(.*?\)/
      $cve20100887_7 = "-J-jar -J" nocase fullword
      3 of them

Java 0day

I’ve play around with Java Deployment Toolkit exploit last week and found that the exploit is damn easy to trigger, but mitigation is a bit tricky (for Firefox especially if you have multiple version of Java installed)

Anyway, the patch released and people dont have to worry much about this anymore.

I’ve wrote a short analysis on the exploit (sample taken from the wild) and soon to be published in the Lebahnet Blog (pending for review). I’ve also wrote Yara rule to detect this exploit and it can be used with Jsunpack for automated analysis 🙂 owh.. I’ll publish the rule soon 😉

Many people are talking about this exploit including this blog. By the time I read through the content, I’ve found that they had published a non-valid code (maybe due to improper de-obfuscation or error during copy and paste for the entry). I’ve left 2 comments, correcting 2 lines of code in the entry. They made the changes but delete my comments (poor me, no credit :P)

Insyaallah I’ll publish the Yara rule by tomorrow 🙂