Exploit:Java/CVE-2012-0507.D

Exploit:Java/CVE-2012-0507.D is a detection for a malicious Java applet stored within a Java Archive (JAR) that attempts to exploit a vulnerability in the Java Runtime Environment (JRE) up to and including versions 7 update 2, versions 6 update 30 and versions 5 update 33. The vulnerability is described in CVE-2012-0507.

The vulnerability exploits a flaw in the deserialization of "AtomicReferenceArray" objects, which allows remote attackers to call, without proper "sandboxing", system level Java functions via the ClassLoader of a constructor that is being deserialized. This means that the exploit is able to perform malicious actions that it would not normally be able to.

Installation

The attacker may host a malicious script on a website. If a user visits the site while using a vulnerable version of Java, the script loads the Java applet.

When the user visits the compromised page, or clicks the malicious link, the script loads the Java applet that is hosted on a remote website.

The malicious "msf.x" Java package may contain the following malicious Java class files:

• Exploit.class - detected as Exploit:Java/CVE-2012-0507.D       
• PayloadX.class - detected as Exploit:Java/CVE-2012-0507.D!ldr
• Help.class - detected as Exploit:Java/CVE-2012-0507.D!ldr
• PayloadX$StreamConnector.class

Payload

Downloads arbitrary files

The execution begins with file Exploit.class that triggers the vulnerability described in CVE-2012-0507. Then it calls the doWork() that exists inside Help.class file to perform as class loader (effectively, a class file loading another class file to execute the payload).

The loader class creates another class file at runtime and loads it with elevated privileges. This class downloads and executes a binary file from a remote URL.

The downloaded binary file is saved and executed as:

%TEMP%\<characters>.exe

The file that is downloaded and executed could be arbitrary, and may include additional malware of the attacker's choice.

Analysis by Ferdinand Plazo