An interesting case of JRE sandbox breach (CVE-2012-0507)

From Botnets.fr
Jump to: navigation, search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

An interesting case of JRE sandbox breach (CVE-2012-0507)
Botnet
Malware Zbot
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / 20 Mar 2012
Editor/Conference Microsoft
Link http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx (Archive copy)
Author Jeong Wook (Matt) Oh, Chun Feng
Type

Abstract

Recently we received a few samples that exploit the latest patched JRE (Java Runtime Environment) vulnerability. These samples are kind of unusual to see, but they can be used to develop highly reliable exploits. The malicious Java applet is loaded from an obfuscated HTML file. The Java applet contains two Java class files - one Java class file triggers the vulnerability and the other one is a loader class used for loading.

The vulnerability triggering class is actually performing deserialization of an object array and uses a vulnerability in the AtomicReferenceArray to disarm the JRE sandbox mechanism. The attacker deliberately crafted serialized object data. This reference array issue is very serious since the exploit is not a memory corruption issue, but a logical flaw in the handling of the array. So the exploit is highly reliable and that might be one of the reasons why the bad guys picked up this vulnerability for their attacks. We determined this vulnerability to be CVE-2012-0507.

Bibtex

 @misc{Oh2012BFR945,
   editor = {Microsoft},
   author = {Jeong Wook (Matt) Oh, Chun Feng},
   title = {An interesting case of JRE sandbox breach (CVE-2012-0507)},
   date = {20},
   month = Mar,
   year = {2012},
   howpublished = {\url{http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx}},
 }