Home / malwarePDF  

Exploit:Java/CVE-2013-2465


First posted on 15 February 2019.
Source: Microsoft

Aliases :

There are no other names known for Exploit:Java/CVE-2013-2465.

Explanation :

Threat in context

Java is a general-purpose programming language, but cases of this exploit are targeted against the Java plug-in for web browsers. The intent of the Java plug-in is that Java programs (or "applets") can be offered by websites, and run in a "sandbox" where the Java plug-in enforces rules on what the Java applet can do so that it cannot escape restricted environment.

What is an exploit?

Exploits are written to take advantage of weaknesses (or vulnerabilities) in legitimate software. A project called "Common Vulnerability Enumeration" (or "CVE"), gives each vulnerability a unique number, in this case "CVE-2013-2465". The portion "2013" refers to the year the vulnerability was discovered, and "2465" is a unique ID for this specific vulnerability. You can find more information on the CVE website.

Payload

Downloads and installs files

This threat can download and run files, including other malware, under your security context.

The malware is contained in a .class file or multiple .class files, depending on the variant. It might download and run malicious programs from a specified URL.

Usually the files are downloaded in the temporary folder (%TEMP%) with a random name, and run from there.

Additional technical details

Exploit:Java/CVE-2013-2465 uses a vulnerability that was found in a 2D component of Java SE. The problem lies in the way the underlying memory operation checks for validity of raster data. Specifically, the memory corruption issue happens in AWT (Abstract Window Toolkit) code. AWT does native operations on the image data used in the Java application.

The vulnerable classes are:

java.awt.image.MultiPixelPackedSampleModel java.awt.image.SinglePixelPackedSampleModel

Malicious raster data is prepared for the vulnerable classes. Memory copy operation happens when the image transformation class, for example java.awt.image.AffineTransformOp, is used upon these crafted image objects. The destination raster memory array will be overflown with hacker-supplied data. Heap corruption will happen at this point.

Unlike many previous Java vulnerabilities, the exploitation actually happens with native code, not in the code written in Java, and native level memory corruption is involved. The thing is that the Java internal memory structure is laid out very predictably and it helps with the stability of the exploits. Usual exploitation involves the corruption of the hacker-supplied array data structure. By corrupting the length field of the affected data structure, the malicious code will gain full control on the native level memory space. Searching through this memory space and changeing fields related to user privileges, hackers can achieve escalation of privilege.

Usually exploits are written using a few Java classes working together. The various class files are bundled into an archive called a JAR, which uses the ZIP file format. Every JAR contains a Manifest.MF file to identify itself to the Java Runtime. Since it is found in every JAR, it won't be listed.

Below are some examples of files that exploit the vulnerability described in CVE-2013-2465:

2c353782b7fe6280f73e3ff5d01b1f7ccfdfc0ee b.class e.class f.class g.class j.class l.class q.class s.class u.class w.class y.class z.class 65ec5926aa212cf9bf65154772df8ffbe1530bea Adddoo.class Addooo2.class MainMyColorModel.class MainMyColorSpace.class Main.class Nn.class Nn2.class 4787f4e7ba4d16cf569c41c77d55fde806f90cba Adddoo.class Addooo2.class MainMyColorModel.class MainMyColorSpace.class Main.class Nn.class Nn2.class 2d35aebfa9772562bd2757e7b50da9ad68227767 ago.class nab.class ray.class tuirun.class wow.class yen.class 1232980a2bffc5423f50dab4453b8363412acb55 e.class f.class g.class H.class j.class l.class q.class s.class u.class w.class y.class z.class 31cb898d1f9daa95d0e04626adae283471d7c7b8 4vo8ot0ZSbX.class bMlzaxj.class pJAiVPU.class uCKKUSga.class uTQJLVI.class xJfgBJ.class yYinxa.class eb45fa565a33aeb01b65eda72918f90f5fa90838 4vo8ot0ZSbX.class bMlzaxj.class pJAiVPU.class uCKKUSga.class uTQJLVI.class xJfgBJ.class yYinxa.class

Once the exploit has full privileges on your PC, it might:

Run an executable file (that may be detected as malware) included in the JAR Run an executable file from (that may be detected as malware) a URL hardcoded in the exploit's file Take instructions from the HTML file (like a URL to the malware executable) that loaded them

Analysis by Jeong Wook (Matt) Oh

Last update 15 February 2019

 

TOP