Home / malware

PDF

Exploit:Java/CVE-2013-0422

First posted on 28 March 2019.
Source: Microsoft

Aliases :

There are no other names known for Exploit:Java/CVE-2013-0422.

Explanation :

Exploit:Java/CVE-2013-0422 is a malicious Java applet that tries to exploit a vulnerability (CVE-2013-0422) in Oracle JRE 7.

Threat in context

Java is a general-purpose programming language, but cases of this exploit are targeted against the Java plug-in for web browsers. The intent of the Java plug-in is that Java programs (or "applets") can be offered by websites, and run in a "sandbox" where the Java plug-in enforces rules on what the Java applet can do so that it cannot escape restricted environment.

The first malware to exploit this vulnerability was found in December 2012 in the wild, and publicly disclosed in January 2013. It is exploiting a package restriction issue in JRE(Java Runtime Environment). The malware uses a typical Java exploitation technique by loading its malicious payload class in a trusted code area, which makes privilege escalation possible. The payload can be embedded in the JAR (Java Archive) file, or it may be downloaded from the Internet. The payload can be any kind of malware that the attacker wants to deliver to your PC.

What is an exploit?

Exploits are written to take advantage of weaknesses (or vulnerabilities) in legitimate software. A project called Common Vulnerabilities and Exposures (or CVE) is used by many vendors and organizations and gives each vulnerability a unique number, in this case "CVE-2013-0422". The portion "2013" refers to the year the vulnerability was discovered, and "0422" is a unique identifier. There is more information on the Common Vulnerabilities and Exposures website.

Additional technical details

Exploit:Java/CVE-2013-0422 is a Java malware that uses a security vulnerability from JRE 7. The problem occurs with the java.lang.invoke.MethodHandle package in JRE 7. MethodHandle is a new feature introduced with JRE 7. It gives developers more convenience and flexibility with dynamic language use in Java. With this advantage, there is also a glitch with the security check when MethodHandle is used to resolve classes from the MethodHandle package itself. Specifically, you can create MethodHandle for the java.lang.invoke.MethodHandles.Lookup class and it will bypass security checks when you try to use findConstructor method through this handle.

With unrestricted access, the malicious code can resolve and run restricted methods from restricted classes. The actual exploitation usually involves access to sun.org.mozilla.javascript.internal.GeneratedClassLoader and the createClassLoader method from the specific class. Access to this restricted class and method will let the malicious code to create and run malicious payload class with trusted code privileges. There are several other method names that can suffer from this issue and it is fixed by applying stricter security checks upon those methods.

This vulnerability is a logic error in checking package access when the caller is coming from specific package and the method has specific names. The exploitation doesn't rely on specific memory layout, which means the exploits are usually portable across multiple platforms, except the fact that the major portion of payload we observed are targeting Windows operating systems.

Usually exploits are written using a few Java classes working together. The various class files are bundled into an archive called a JAR, which uses the ZIP file format. Every JAR contains a Manifest.MF file to identify itself to the Java Runtime. Since it is found in every JAR, it won't be listed.

Below are some examples of files that exploit the vulnerability described in CVE-2013-0422:

0fdb83268e7d710406dcfabc5a6a7eec9983d2a8 A2nG4N0b6lW.class SDPzp SDPzpamxmiVDsg.class SDPzpEGWpQIP.class SDPzpIjeYI.class SDPzpLsGJm.class SDPzpQDccKseX.class SDPzp
NLCY.class SDPzpvmsUSHNC.class SDPzpWqLNn.class 1267fe4c67f57db659a7ec39d66a5987e037389f Main.class WqJmjZxw WqJmjZxwCffXnm2.class WqJmjZxwDddYV.class WqJmjZxweuAsAVnxL.class WqJmjZxwgXLFoU.class WqJmjZxwhyKJyltC.class WqJmjZxwMmm2.class WqJmjZxwVOjbPDHBz2.class WqJmjZxwYvelJM.class 3e3f77364387f6a5220feea48d257d0c0fb85c0c IBslMZ0JWdY06dGJ.class uthlpOV uthlpOVAvpOP.class uthlpOVdujg.class uthlpOVFYmUQmPQ.class uthlpOVGTcFymp.class uthlpOVIyTJKF.class uthlpOVOXNzLtC.class uthlpOVPTgebK.class uthlpOVwxoQd.class 46a47077ac7372b148cc2c4064df844e607d6ed8 4r9h6B0iPGu.class cVfMc cVfMcmhgkVaY.class cVfMcMmiwFWO.class cVfMcNjYCzXrZ.class cVfMcqwILa.class cVfMc
QjIO.class cVfMcTUqUvI.class cVfMcWweRAZ.class cVfMczsPLetEN.class 4ad8cb08e858c0e5637f03b1d42af316ea0336ce bjiDGbeg Main.class bjiDGbegAvs.class bjiDGbegBjkfdsbjg.class bjiDGbegBjsafkasf.class bjiDGbegIddsgds.class bjiDGbegKla.class bjiDGbegNbm.class bjiDGbegNsfklewgr.class bjiDGbegNwingdf.class bjiDGbegYvelJM.class 50c3b36ee2b4edd2735cbe7e4803e3ed477dbd93 Main.class Nklasfnsakf NklasfnsakfCffXnm2.class NklasfnsakfDddYV.class NklasfnsakfeuAsAVnxL.class NklasfnsakfgXLFoU.class NklasfnsakfhyKJyltC.class NklasfnsakfMmm2.class NklasfnsakfQwe.class NklasfnsakfVOjbPDHBz2.class NklasfnsakfYvelJM.class 8bc9f5f9c9549342629c5b309c0692cf5136e9a9 afg.class agf.class fag.class fga.class gaf.class gfa.class Pla.class Pla.dat ram.class abd46a566f342fd942d6f4c1264ecf6ca85ad524 bin.class bni.class ibn.class inb.class nbb.class nbi.class nib.class Pla.class Pla.dat c1b4bb4150c99537008cd2bc51d6b6ac33e9bca4 LX1ilU0aOrl0falm.class uthlpOV uthlpOVAvpOP.class uthlpOVdujg.class uthlpOVFYmUQmPQ.class uthlpOVGTcFymp.class uthlpOVIyTJKF.class uthlpOVOXNzLtC.class uthlpOVPTgebK.class uthlpOVwxoQd.class e276963cf414df2b6e0e3cd5ef0d230706819d6f Main.class WqJmjZxw WqJmjZxwCffXnm2.class WqJmjZxwDddYV.class WqJmjZxweuAsAVnxL.class WqJmjZxwgXLFoU.class WqJmjZxwhyKJyltC.class WqJmjZxwMmm2.class WqJmjZxwQwe.class WqJmjZxwVOjbPDHBz2.class WqJmjZxwYvelJM.class e6f8092a875e17f4d9e468c7a949e009d1176316 gM5APz0FV0s.class SDPzp SDPzpamxmiVDsg.class SDPzpEGWpQIP.class SDPzpIjeYI.class SDPzpLsGJm.class SDPzpQDccKseX.class SDPzp
NLCY.class SDPzpvmsUSHNC.class SDPzpWqLNn.class

Once the exploit has full privileges on your PC, it can:

Run an executable file (that may be detected as malware) included in the JAR Run an executable file (that may be detected as malware) from a URL hardcoded in the exploit's file Take instructions from the HTML file (like a URL to the malware executable) that loaded them

Analysis by Jeong Wook (Matt) Oh

Last update 28 March 2019

 

TOP