Posted: January 12th, 2013 | Author: xanda | Filed under: IT Related | Tags: 0day, CVE-2013-0422, java, yara | 3 Comments »
Hi
It’s a bit to late for me to write this, but at least CVE-2013-0422 is no longer a secret.. and yes I can share some yara rule for this
Anyway, thanks to @kafeine for the disclosure and thanks to Immunity for a very good write up.
So here you go:
rule CVE_2013_0422
{
meta:
description = "Java Applet JMX Remote Code Execution"
cve = "CVE-2013-0422"
ref = "http://pastebin.com/JVedyrCe"
author = "adnan.shukor@gmail.com"
date = "12-Jan-2013"
version = "1"
impact = 4
hide = false
strings:
$0422_1 = "com/sun/jmx/mbeanserver/JmxMBeanServer" fullword
$0422_2 = "com/sun/jmx/mbeanserver/JmxMBeanServerBuilder" fullword
$0422_3 = "com/sun/jmx/mbeanserver/MBeanInstantiator" fullword
$0422_4 = "findClass" fullword
$0422_5 = "publicLookup" fullword
$class = /sun\.org\.mozilla\.javascript\.internal\.(Context|GeneratedClassLoader)/ fullword
condition:
(all of ($0422_*)) or (all of them)
} |
rule CVE_2013_0422
{
meta:
description = "Java Applet JMX Remote Code Execution"
cve = "CVE-2013-0422"
ref = "http://pastebin.com/JVedyrCe"
author = "adnan.shukor@gmail.com"
date = "12-Jan-2013"
version = "1"
impact = 4
hide = false
strings:
$0422_1 = "com/sun/jmx/mbeanserver/JmxMBeanServer" fullword
$0422_2 = "com/sun/jmx/mbeanserver/JmxMBeanServerBuilder" fullword
$0422_3 = "com/sun/jmx/mbeanserver/MBeanInstantiator" fullword
$0422_4 = "findClass" fullword
$0422_5 = "publicLookup" fullword
$class = /sun\.org\.mozilla\.javascript\.internal\.(Context|GeneratedClassLoader)/ fullword
condition:
(all of ($0422_*)) or (all of them)
}
Kindly leave comment I you find ways to improvement this rule. Obfuscation? yeah of course can be used to bypassed this rule as well 😉
Thanks
P/S: MyYaraSIG members should have receive this rule/update earlier today. Just git pull everyone 🙂
Posted: May 8th, 2010 | Author: xanda | Filed under: IT Related | Tags: 0day, jsunpack, rule, safari, window.parent.close(), yara | 1 Comment »
rule SafariWindowParentClose
{
meta:
ref = "Safari window.parent.close()"
impact = 7
strings:
$SafariWindowParentClose_1 = /.*?.prompt\(alert\)/
$SafariWindowParentClose_2 = /.*?.prompt\(.*?\)/
$SafariWindowParentClose_3 = /.*?.close\(\)/
condition:
all of them
} |
rule SafariWindowParentClose
{
meta:
ref = "Safari window.parent.close()"
impact = 7
strings:
$SafariWindowParentClose_1 = /.*?.prompt\(alert\)/
$SafariWindowParentClose_2 = /.*?.prompt\(.*?\)/
$SafariWindowParentClose_3 = /.*?.close\(\)/
condition:
all of them
}
Posted: May 8th, 2010 | Author: xanda | Filed under: IT Related | Tags: 0day, exploit, safari, window.parent.close() | 1 Comment »
I love the smell of Safari 0day in the morning 🙂
Posted: April 21st, 2010 | Author: xanda | Filed under: IT Related | Tags: 0day, Deployment Toolki, java, jsunpack, yara | No Comments »
rule JavaDeploymentToolkit
{
meta:
ref = "CVE-2010-0887"
impact = 7
strings:
$cve20100887_1 = "CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA" nocase fullword
$cve20100887_2 = "document.createElement(\"OBJECT\")" nocase fullword
$cve20100887_3 = "application/npruntime-scriptable-plugin;deploymenttoolkit" nocase fullword
$cve20100887_4 = "application/java-deployment-toolkit" nocase fullword
$cve20100887_5 = "document.body.appendChild(" nocase fullword
$cve20100887_6 = /.*?.launch\(.*?\)/
$cve20100887_7 = "-J-jar -J" nocase fullword
condition:
3 of them
} |
rule JavaDeploymentToolkit
{
meta:
ref = "CVE-2010-0887"
impact = 7
strings:
$cve20100887_1 = "CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA" nocase fullword
$cve20100887_2 = "document.createElement(\"OBJECT\")" nocase fullword
$cve20100887_3 = "application/npruntime-scriptable-plugin;deploymenttoolkit" nocase fullword
$cve20100887_4 = "application/java-deployment-toolkit" nocase fullword
$cve20100887_5 = "document.body.appendChild(" nocase fullword
$cve20100887_6 = /.*?.launch\(.*?\)/
$cve20100887_7 = "-J-jar -J" nocase fullword
condition:
3 of them
}
Posted: April 20th, 2010 | Author: xanda | Filed under: IT Related | Tags: 0day, CVE-2010-0886, CVE-2010-0887, firefox, internet explorer, java, Java Deployment Toolkit | No Comments »
I’ve play around with Java Deployment Toolkit exploit last week and found that the exploit is damn easy to trigger, but mitigation is a bit tricky (for Firefox especially if you have multiple version of Java installed)
Anyway, the patch released and people dont have to worry much about this anymore.
I’ve wrote a short analysis on the exploit (sample taken from the wild) and soon to be published in the Lebahnet Blog (pending for review). I’ve also wrote Yara rule to detect this exploit and it can be used with Jsunpack for automated analysis 🙂 owh.. I’ll publish the rule soon 😉
Many people are talking about this exploit including this blog. By the time I read through the content, I’ve found that they had published a non-valid code (maybe due to improper de-obfuscation or error during copy and paste for the entry). I’ve left 2 comments, correcting 2 lines of code in the entry. They made the changes but delete my comments (poor me, no credit :P)
Insyaallah I’ll publish the Yara rule by tomorrow 🙂