Exploit:Java/CVE-2010-0094.D

Exploit:Java/CVE-2010-0094.D is a Java based vulnerability which affects Java Runtime Environment (JRE) up to version 6 release 18 inclusive. The vulnerability makes it possible for untrusted code to gain full privileges at the level of the user's browser security scope. The vulnerability makes a use of the "get" method of "java.rmi.MarshalledObject" which de-serializes an object from an internal byte array. At the same time, the byte array can contain a previously serialized "ClassLoader" which, after its full de-serialization by the "get" method of "java.rmi.MarshalledObject", becomes fully trusted and can load other classes and methods at the full privileged level outside the sandbox.

 

Exploit:Java/CVE-2010-0094.D is implemented as a Java applet inside a .jre package. The JRE package is 8724 bytes size, and also contains classes used by the applet. The applet creates an RMIConnectionImpl object with the connection ID string "javasucks". It reads a parameter "url" which it expects to be specified in the referencing the applet HTML file, and uses it as a location for a file to be downloaded and executed later on. This information is passed to a separate class contained within the JRE package which facilitates the download of the executable file from a remote location, saving it in a %TEMP% directory as "WINDOWS_SECURITY_CENTER.exe" and executing it with elevated privileges.

A number of legitimate websites could be compromised or unwillingly host a malicious applet through advertising frames which could redirect to or host a malicious Java applet. It is not uncommon for antivirus software to detect malicious Java applets in a web browser's cache. It doesn’t necessarily mean that the system is compromised. Most of the time it reflects the fact that, at some stage, a webpage with a malicious applet had been visited and cached internally. To thwart such a notification it is often enough to purge the cache using a web browser's configurable security options.

 

Analysis by Oleg Petrovsky