Home / malware Exploit:Java/CVE-2012-1723
First posted on 15 February 2019.
Source: MicrosoftAliases :
There are no other names known for Exploit:Java/CVE-2012-1723.
Explanation :
Threat in context
Java is a general-purpose programming language, but cases of this exploit are targeted against the Java plug-in for web browsers. The intent of the Java plug-in is that Java programs (or "applets") can be offered by websites, and run in a "sandbox" where the Java plug-in enforces rules on what the Java applet can do so that it cannot escape restricted environment.
What is an exploit?
Exploits are written to take advantage of weaknesses (or vulnerabilities) in legitimate software. A project called Common Vulnerabilities and Exposures (CVE) gives each vulnerability a unique number, in this case "CVE-2012-1723". The portion "2012" refers to the year the vulnerability was discovered, and "1723" is a unique ID for this specific vulnerability. You can find more information on the CVE website.
Payload
Downloads and installs files
If you visit a website containing the malicious code while using a vulnerable version of Java, Exploit:Java/CVE-2012-1723 is loaded. It then tries to download and run files from a remote host/URL, including other malware.
Additional technical details
Exploit:Java/CVE-2012-1723 uses a bug in the field access code inside of the Java Runtime Environment. The issue is in the optimization done when a field inside the class is accessed. A static field with a ClassLoader or Object type and bunch of instance-fields with custom data type is a strong indication of exploitation. A bunch of instance-fields are a buffer area where a type-confused object is retrieved. After retrieving the ClassLoader instance using type-confusion, the exploit takes these privileges and can then run outside of the sandbox.
Exploit:Java/CVE-2012-1723 attacks the security model instead of memory corruption issues. With memory corruption issues, the exploit is dependent on the specific CPU (Central Processing Unit) type and operating systems, and might be affected by mitigation technology like DEP (Data Execution Prevention) or ASLR (Address Space Layout Randomization).
Attacking the security model means that the exploit might be effective on any platform the Java interpreter is on; for example Windows, MacOS, Linux, etc.
Usually the exploits are written using a few Java classes working together. The various class files are bundled into an archive called a JAR, which uses the ZIP file format. Every JAR contains a Manifest.MF file to identify itself to the Java Runtime Environment. Since it is usually found in every JAR, it won't be listed.
Below are some examples of files that exploit the vulnerability described in CVE-2012-1723:
1fadb1943260992ba9ae75a0d651bf6b5b5d8b39 bet3b5326b236b326a.class bet3b5326b236b326b.class bet3b5326b236b326c.class bet3b5326b236b326d.class bet3b5326b236b326e.class bet3b5326b236b326f.clas 2cd0734ce557dd18d3104b367a9a84df1fe9dcb3 Abanli.class Ati.class Fonnt.class Grebok.class Ini.class Inttos.class Olya.class Sara.class Shashlik.class Third.class 37ba6cf857bd5f22c26a1e05c5ec7fd19fb40d79 CreateClassAndExec.class DownloadExec.class main.class UnsafeUtil.class 3bce21eb8df8c8b3fc4b7f46fcbaa222efa6badf hit.class pom.class string.class weirMattesBus.class 8281b17676dc99f7856588bbd7fbb0f0124dd062 main.class w.class x.class y.class z.class 4290441b2edc07c606ffb3b6407c6b7df99413f3 fbeatbeb.class fbeatbec.class fbeatbed.class fbeatbee.class fbeatbef.class 4eb928ec636e7fbd5736f8edbc20e18e89d24076 bet3b5326b236b326a.class bet3b5326b236b326b.class bet3b5326b236b326c.class bet3b5326b236b326d.class bet3b5326b236b326e.class bet3b5326b236b326f.class 5590352bfd98395e27da3543374491f8c729d10a Ati.class Atyans.class Faiibt.class Ini.class Luihbg.class Nata.class Ponos.class Sara.class Shashlik.class Third.class 8d258823317be9e09b046fb11753d105c9d5861f greateGamb.class greateGamc.class greateGamd.class greateGame.class greateGamf.class 94c61b0eb8f4cc8b0f8708267155bfdd3f5da51e Fire.class FireX.class Fuck.class sikinti.class ters.class addbe7741ab30a209d526b5da1022310a5b33f60 ACL.class Cry.class ET.class ILikeIt.class TVSDPT.class TVSD.class Utils.class bd026427600dec5622f5602db2ebac93dda67802 Fdskjfudsfqiqqi.class kalibton.class prototipe.class Qdsfwefw.class Sfjkgherilg.class XqxQxqX.class ZOOIIUUPP.class c81d30a6e7ffd7de97a1d008a95740592bf5947e b4a.class b4b.class b4c.class b4d.class b4e.class b4f.class ef082c683717465817b4a718f6975fae5850e3c3 Epay.class ClLoader.class Clmaker.class News.class f1dd728b1ac2117e835541e8fa32e06b1b817995 plugindetecta.class plugindetectb.class plugindetectc.class plugindetectd.class plugindetecte.class plugindetectf.class
Once the exploit obtains full privileges on your PC, it might:
Run an executable file (that might be detected as malware) included in the JAR Run an executable file (that might be detected as malware) from a URL hard-coded in the exploit's file Take instructions from the HTML file (like a URL to the malware executable) that loaded them Related information / Related references
The articles referenced below outline some of the the technical details of the weakness this vulnerability exploits:
The rise of a new Java vulnerability - CVE-2012-1723 CVE-2012-1723 – Oracle Java Applet Field Bytecode Verifier Cache Remote Code Execution
Analysis by Jeong Wook (Matt) OhLast update 15 February 2019
