Exploit:Java/CVE-2010-0842.G

Exploit:Java/CVE-2010-0842.G is a Java-based trojan that exploits the CVE-2010-0842 vulnerability, also known as Sun Java Runtime Environment (JRE) MIDI File metaEvent Remote Code Execution Vulnerability. As per the CVE-2010-0842 advisory, the vulnerability affects Java Standard Edition (JSE) and Java for Business (JFB) in the following packages:

 

 

When executed, Exploit:Java/CVE-2010-0842.G exploits CVE-2010-0842 to download and execute arbitrary files under the user's security context. The vulnerability exploits the MixerSequencer handling code failure to check for boundary conditions when parsing metaEvent structure.

Exploit:Java/CVE-2010-0842.G will be normally dumped in the browser's cache folder as <random alphanumeric sequence>.jar, for instance qnatyqanipyrxsc2.jar or euaseuymhnx.jar.

 

The .JAR file consist of the two class files: ToolsDemoSubClass and an applet a. In order for the trojan to run, some user interaction is required. A user needs to visit a webpage which hosts an HTML page referencing an applet "a" inside the .JAR package. The .JAR package itself also has to be hosted online. The applet has two member functions:

 

When the "init"function is executed, it reads the parameter "trigger" from referencing the HTML file, and if it is equal to "notie", proceeds to exploit vulnerability on the targeted computer. The applet also reads the parameter "URL" and uses it as a location to download and feed an arbitrary file to the MixerSequencer handling code, potentially facilitating download and execution of an arbitrary file on the compromised computer. The trojan also checks to see if a CVE-2010-0842 vulnerable version of the JRE is running on the computer, and if not found, the trojan will not execute.

The "getAppletInfo" function returns the "Tools Demo" string. Together with ToolsDemoSubClass, which doesn’t bare any functionality, it is most probably used to make the .JAR package appear legitimate to users.

 

Note that a number of legitimate websites could be compromised or unwillingly host a malicious applet through advertising frames which could redirect or host a malicious Java applet. It is not uncommon for antivirus software to detect malicious Java applets in a web browser's cache. It doesn't necessarily mean that the system is compromised. Most of the time it reflects the fact that, at some stage, a webpage with a malicious applet had been visited and cached internally. To thwart such a notification it is often enough to purge the cache using a web browser's security options.

 

Analysis by Oleg Petrovsky