10
CVSSv2

CVE-2013-0422

Published: 10/01/2013 Updated: 21/02/2014
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote malicious users to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.

Vulnerability Trend

Affected Products

Vendor Product Versions
OracleJdk1.7.0
OracleJre1.7.0

Vendor Advisories

Synopsis Important: java-170-openjdk security update Type/Severity Security Advisory: Important Topic Updated java-170-openjdk packages that fix two security issues are nowavailable for Red Hat Enterprise Linux 5 and 6The Red Hat Security Response Team has rated this update as havingimportant security ...
Synopsis Critical: java-170-oracle security update Type/Severity Security Advisory: Critical Topic Updated java-170-oracle packages that fix two security issues are nowavailable for Red Hat Enterprise Linux 5 and 6 SupplementaryThe Red Hat Security Response Team has rated this update as having critical ...
OpenJDK 7 could be made to crash or run programs as your login if it opened a specially crafted Java applet ...
Synopsis Critical: java-170-ibm security update Type/Severity Security Advisory: Critical Topic Updated java-170-ibm packages that fix several security issues are nowavailable for Red Hat Enterprise Linux 5 and 6 SupplementaryThe Red Hat Security Response Team has rated this update as having criticalse ...

Exploits

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # web site for more information on licensing and terms of use # metasploitcom/ ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking includ ...

Metasploit Modules

Java Applet JMX Remote Code Execution

This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in January of 2013. The vulnerability affects Java version 7u10 and earlier.

msf > use exploit/multi/browser/java_jre17_jmxbean
      msf exploit(java_jre17_jmxbean) > show targets
            ...targets...
      msf exploit(java_jre17_jmxbean) > set TARGET <target-id>
      msf exploit(java_jre17_jmxbean) > show options
            ...show and set options...
      msf exploit(java_jre17_jmxbean) > exploit

Github Repositories

Evercookie Evercookie is a Javascript API that produces extremely persistent cookies in a browser Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others This is accomplished by storing the cookie data on as many browser storage mechanisms as possible If cookie data is removed from any of the

penetration 收集的渗透资料,现在分享一下 点个小星星呗~ 欢迎继续提供相关资料,可以issue或者pull request 收集不易 分享请注明来源~ githubcom/w1109790800/penetration 欢迎关注我的公众号: 我的小程序: 目录结构 ├─0day &amp; exp │ ├─08CMS │ ├─AKCMS │ ├─bbsxp │ │ ├─BB

Evercookie Evercookie is a Javascript API that produces extremely persistent cookies in a browser Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others This is accomplished by storing the cookie data on as many browser storage mechanisms as possible If cookie data is removed from any of the

penetration 收集的渗透资料,现在分享一下 地址githubcom/w1109790800原文地址 pg)## 目录结构 ├─0day &amp; exp │ ├─08CMS │ ├─AKCMS │ ├─bbsxp │ │ ├─BBSxp70 │ │ ├─bbsxp综合利用工具 │ │ └─BBSXP论坛漏洞完全注册工具 │ ├─BLUECMS │ ├─CreateLiveCMS │ ├─discuz

Java Applet Persistence for Evercookie What's this? A Java applet implementing a storage mechanism for Evercookie that uses several methods to store persistent cookie data in a browser evercookie-applet was written by Gabriel Bauman and binaries will soon be included in the official Evercookie distribution You can find out more about Evercookie here How does it work? Ev

penetration 收集的渗透资料,现在分享一下 点个小星星呗~ 欢迎继续提供相关资料,可以issue或者pull request 收集不易 分享请注明来源~ githubcom/w1109790800/Permeable 欢迎关注我的公众号: 目录结构 ├─0day &amp; exp │ ├─08CMS │ ├─AKCMS │ ├─bbsxp │ │ ├─BBSxp70 │ │ ├

Evercookie Evercookie is a Javascript API that produces extremely persistent cookies in a browser Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others This is accomplished by storing the cookie data as many browser storage mechanisms as possible If cookie data is removed from any of the st

Evercookie Evercookie is a gem allowing you to use very persistent cookies on your rails project to track existing users on your system It's javascript is based on githubcom/samyk/evercookie javascript Please note, that evercookie can't be fully reliable for detecting previous visiting of your site/application For people who know the job it's simple enou

Recent Articles

Investigation Report for the September 2014 Equation malware detection incident in the US
Securelist • Kaspersky Lab • 16 Nov 2017

In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were tr...

Microsoft Suffered Breach of Its Vulnerabilities Database Back in 2013
BleepingComputer • Catalin Cimpanu • 17 Oct 2017

Five former employees told Reuters that Microsoft quietly dealt with a hack of its vulnerabilities and bug reports database back in 2013 without telling anyone.
The former employees say Microsoft fixed all bugs and vulnerabilities contained in the hacked database within months so that the flaws would have limited use against its users.
Microsoft also investigated breaches at third-party companies in the following period to see if any of the vulnerabilities contained within the breach...

Pr0n-optimised Icepol Trojan's servers seized by Romanian cops
The Register • John Leyden • 03 Feb 2014

Police impound servers and neutralise threat - for now

Romanian police have seized servers associated with the Icepol ransomware scam, effectively taking down the pervasive threat for now.
The Icepol Trojan extorted victims who downloaded it by sending prospective marks a fake message from local police accusing them of downloading copyrighted material or illegal pornography.
The malware locked a victim's desktop before demanding a payment in return for unlocking it.
Icepol was programmed to push out its warnings in one of 25 langua...

Java under attack – the evolution of exploits in 2012-2013
Securelist • Kaspersky Lab • 30 Oct 2013

One of the biggest problems facing the IT security industry is the use of vulnerabilities in legitimate software to launch malware attacks. Malicious programs can use these vulnerabilities to infect a computer without attracting the attention of the user – and, in some cases, without triggering an alert from security software.
That’s why cyber criminals prefer these attacks, known as exploits, over other infection methods. Unlike social engineering, which can be hit or miss, the use of...

The Icefog APT: Frequently Asked Questions
Securelist • GReAT • 26 Sep 2013

Here are answers to the most frequently asked questions related to Icefog, an APT operation targeting entities in Japan and South Korea.

Icefog refers to a cyber-espionage campaign that has been active at least since 2011. It targets governmental institutions, military contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high technology companies and mass media, mainly in South Korea and Japan. It is likely that the crew targets orga...

Icefog Espionage Campaign is ‘Hit and Run’ Targeted Operation
Threatpost • Michael Mimoso • 25 Sep 2013

An espionage campaign featuring precise targeting of victims and malware that allows the attackers one-on-one interaction with compromised systems has been uncovered. Government agencies, manufacturers, high tech companies and media organizations in South Korea and Japan have been the primary targets of the campaign called Icefog, which was reported today by researchers at Kaspersky Lab.
The China-based campaign is two years old and follows the pattern of similar APT-style attacks where vi...

Anti-decompiling techniques in malicious Java Applets
Securelist • Vicente Diaz • 19 Aug 2013

While I was investigating the Trojan.JS.Iframe.aeq case (see blogpost) one of the files dropped by the Exploit Kit was an Applet exploiting a vulnerability:
So basically I unzipped the .jar and took a look using JD-GUI, a java decompiler. These were the resulting classes inside the .jar file:

The class names are weird, but nothing unusual. Usually the Manifest states the entry point (main class) of the applet. In this case there was no manifest, but we could see this in the ap...

Visit From an Old Friend: Counter.php
Securelist • Vicente Diaz • 12 Aug 2013

Around one year ago I posted about what were the most common web attacks in Spain and how the malware was spread. It is time for an update!
We regularly collect data regarding infected web sites based in our detections on KSN. Apart from the general verdicts that I usually find in the top of the rank, there was another one in the top 3 for the last months that caught my eye: Trojan.JS.Iframe.aeq.
This verdict was quite popular during the last months specially in .ES sites. The detect...

NSA Whistleblower Article Redirects to Malware
Threatpost • Michael Mimoso • 10 Jun 2013

Update: Aaron Harison, president of the Center for American Freedom, told Threatpost this morning that the issue has been resolved and the site is no longer serving malware. 
Hackers have latched on to the NSA surveillance story—literally.
A news story on the outing of whistleblower Edward Snowden posted to the Washington Free Beacon is serving malware redirecting visitors to a malicious site where more malware awaits. The Free Beacon site remains infected, according to Invincea ...

D.C. Media Sites Hacked, Serving Fake AV
Threatpost • Michael Mimoso • 07 May 2013

Websites belonging to a number of Washington, D.C.-area media outlets have been compromised in a series of opportunistic attacks with criminals using a watering-hole tactic to spread scareware, or phony antivirus software.
Popular D.C. radio station WTOP, sister station Federal News Radio, and the site of technology blogger John Dvorak, were infected with exploits targeting third-party Java or Adobe browser plug-ins. The exploits redirect site visitors to an exploit kit serving a scareware...

New Web-Based MiniDuke Components Discovered
Threatpost • Michael Mimoso • 11 Mar 2013

Researchers at Kaspersky Lab and CrySys Lab have discovered files buried inside a MiniDuke command and control server that indicate the presence of a Web-based facet of the campaign that initially targeted government agencies, primarily in Europe.
Users are likely lured to the malicious webpages via spear phishing messages containing a link to the attack site. The site, which remains active, is serving exploits for patched vulnerabilities in Java and Internet Explorer, research...

Report: Malvertising Campaign Thrives on Dynamic DNS
Threatpost • Chris Brook • 11 Feb 2013

A malvertising campaign that’s lasted almost half a year is staying alive thanks to infected web advertisements being circulated by otherwise clean ad networks.
The campaign, now in its fifth month, relies on the Dynamic Domain Name System (DDNS) to keep it from being caught according to a report from Symantec’s Security Response blog that likens its relationship to a “never-ending story.”
Attackers have been leveraging the ads by inserting their own obfuscated J...

Attackers Exploit Java, Compromise Reporters Without Borders Site
Threatpost • Brian Donohue • 23 Jan 2013

The Java saga continued when unknown, and apparently well concealed goons exploited recent Java and Internet Explorer zero-days to compromise the website of the French-based, free-press advocacy group, Reporters Without Borders. The attack, which attempted to take advantage of the time-gulf that separates Oracle’s patch release from their users’ application of it, is part of a watering hole campaign also targeting Tibetan and Uygur human rights groups as well as Hong Kong and Taiwanese polit...

Latest Java patch is not enough, warns US gov: Axe plugins NOW
The Register • John Leyden • 15 Jan 2013

Metasploit boss says Oracle needs TWO years to make everything good

Security experts advise users to not run Java in their web browsers despite a patch from Oracle that mitigates a widely exploited security vulnerability.
The database giant issued an emergency out-of-band patch on Sunday, but despite this the US Department of Homeland Security continues to warn citizens to disable Java plugins.
"Unless it is absolutely necessary to run Java in web browsers, disable it even after updating to [Java 7 update 11]," the US-CERT team said in an update yest...

ADP-Themed Phishing Emails Lead to Blackhole Sites
Threatpost • Brian Donohue • 14 Jan 2013

Scammers are spamming out malicious emails purporting to come from payroll processing company ADP, according Dancho Danchev of Webroot.
The emails arrive under the subject line “ADP Immediate Notifications” and contain links to compromised websites hosting the latest iteration of the Blackhole exploit kit. The kit is serving CVE-2013-0422 Java exploit, which Danchev claimed was still active when he published his report. However, Oracle appears to have patched the bug someti...

Emergency Zero-Day Patch Does Not Quiet Calls to Disable Java
Threatpost • Michael Mimoso • 14 Jan 2013

Oracle’s emergency Java update this weekend for a zero-day sandbox bypass vulnerability hasn’t exactly kicked off a love-fest for the company among security experts. Researchers are still cautious about recommending users re-enable the ubiquitous software, despite the availability of the fix for the latest zero-day to target the platform. 
Some caution there are still ways to bypass a heightened security configuration in the update, and yet others remain concerned about f...

Java 0-Day Exploit CVE-2013-0422
welivesecurity • Robert Lipovsky • 11 Jan 2013

The infamous exploit packs Blackhole and Nuclear Pack now feature a new zero-day Java exploit that exploits the Java vulnerability CVE-2013-0422. The latest version of Java 7 Update 10 is affected.
Malware spreading through drive-by-downloads often utilizes exploit packs, which are able to serve malware variants without any user interaction, as opposed to other techniques relying on social engineering.
While users of ESET security products are protected from this threat (we detect it...

Java 0day Mass Exploit Distribution
Securelist • Kurt Baumgartner • 09 Jan 2013

Just a quick note, it’s only the second week of January, but early 2013 brings with it the first Java 0day mass exploit distribution of the year.

There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem. We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, a...

References

CWE-264http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.htmlhttp://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.htmlhttp://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.htmlhttp://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0156.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0165.htmlhttp://seclists.org/bugtraq/2013/Jan/48http://www.kb.cert.org/vuls/id/625617http://www.mandriva.com/security/advisories?name=MDVSA-2013:095http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.htmlhttp://www.ubuntu.com/usn/USN-1693-1http://www.us-cert.gov/cas/techalerts/TA13-010A.htmlhttps://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdfhttps://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_ushttps://github.com/filip0308/cookiehttps://www.exploit-db.com/exploits/24045/https://www.rapid7.com/db/vulnerabilities/jre-vuln-cve-2012-3174https://nvd.nist.govhttps://usn.ubuntu.com/1693-1/https://www.kb.cert.org/vuls/id/625617