Yara Detection for Java Applet JMX Remote Code Execution (CVE-2013-0422)
Posted: January 12th, 2013 | Author: xanda | Filed under: IT Related | Tags: 0day, CVE-2013-0422, java, yara | 3 Comments »Hi
It’s a bit to late for me to write this, but at least CVE-2013-0422 is no longer a secret.. and yes I can share some yara rule for this
Anyway, thanks to @kafeine for the disclosure and thanks to Immunity for a very good write up.
So here you go:
rule CVE_2013_0422 { meta: description = "Java Applet JMX Remote Code Execution" cve = "CVE-2013-0422" ref = "http://pastebin.com/JVedyrCe" author = "adnan.shukor@gmail.com" date = "12-Jan-2013" version = "1" impact = 4 hide = false strings: $0422_1 = "com/sun/jmx/mbeanserver/JmxMBeanServer" fullword $0422_2 = "com/sun/jmx/mbeanserver/JmxMBeanServerBuilder" fullword $0422_3 = "com/sun/jmx/mbeanserver/MBeanInstantiator" fullword $0422_4 = "findClass" fullword $0422_5 = "publicLookup" fullword $class = /sun\.org\.mozilla\.javascript\.internal\.(Context|GeneratedClassLoader)/ fullword condition: (all of ($0422_*)) or (all of them) } |
Kindly leave comment I you find ways to improvement this rule. Obfuscation? yeah of course can be used to bypassed this rule as well 😉
Thanks
P/S: MyYaraSIG members should have receive this rule/update earlier today. Just git pull everyone 🙂