Common Java Vulnerabilities

Introduction

Java is a very popular platform running on many devices from cell phones to supercomputers with some 9 million developers worldwide and boasting 1.1 billion installs each year (“Learn About Java…”, 2016). This makes it a lucrative target for cyber criminals with many exploit kits targeting Java. Below are some common exploits targeting Java (Singh, Gomez, & Malik, 2014):

  • CVE-2013-2471
  • CVE-2013-2423
  • CVE-2013-2465

The following report will summarize these exploits and the technical details of how they work.

CVE-2013-2471

Java has several functions to create raster objects, which is a rectangular array of pixel (Oracle Corp., “Java Platform…API Specification”).  They can be created by calling the CreateWritableRaster method of the Raster class (Singh, Gomez, & Malik, 2014):

Public static WritableRaster
createWritableRaster(SampleModel s,
DataBuffer buf, Point location)

The method return is the SampleModel class. The SampleModel class defines an interface for extracting pixels from an image (“Java Platform…API Specification”, 2016).  Java calls a function, verify() to validate the data.  The verify() function uses the getNumDataElements() method of the SampleModel class to validate the data.  Overriding the getNumDataElements method and returning 0 allows an attacker to bypass the checks and create malicious raster objects.  The malicious and invalidated raster objects are then passed to the compose() method of AlphaCompositeClass.  The compose() methods  then calls function blit.blit(), which could corrupt memory, depending on the input parameters (Singh, Gomez, & Malik, 2014).

Analyzing the decompiled code from an example of the vulnerability, the malware overrides the getNumDataElements method to bypass the verify() method

    }

    public static final Object s() {
        return new Statement(System.class, S2, new Object[1]);
    }
    public int getNumDataElements() {
        return 0;
    }
}

The vulnerability was discovered in June of 2013 (“Vulnerability Summary for CVE-2013-2471″, 2013) and Oracle quickly released a security patch for it the same month (Oracle Java SE Critical, 2013)However despite Oracle’s quick response, the vulnerability was still observed “in the wild” or out on the internet, being implemented in phishing websites and exploit kits, such as Kore and Cool (“CVE-2013-2465/CVE-2013-2471/CVE-2013-2463…”, Aug. 14, 2013) (“Urausy Ransomware…”, Jul. 28, 2013)(Singh, Gomez, & Malik, 2014).

Below is a brief description of the malware infection chain in the Cool exploit kit (Singh, Gomez, & Malik, 2014):

After the page is loaded, plugin detection scripts checks the victim’s browser for Java or flash.  Plugin detection scripts have a legitimate use in benign websites to tailor content to the viewer depending on the plugin the browser is using.  In much the same way, the exploit kit uses the plugin detection script to determine what version of Java the victim’s browser is running in order to deliver the best exploit.  After it is determined what version of Java the browser is running, the browser downloads a a .jar file containing the exploit without the user’s knowledge.  The .jar file contains the vulnerable getNumDataElements method discussed above.  Also unique to the Cool exploit kit, the .jar file also contains a malicious payload, a ransom ware executable.

CVE-2013-2423

This vulnerability affected Java SE 7 and its due to insufficient validation in the findStaticSetter() method.  The method doesnt validate whether a static field is final returning a MethodHandle of a setter method for a static final field.  This lack of validation allows malicious code to modify the static field to create type confusion, using integer and double fields to disable the Java security manager (Vulnerability Summary for CVE-2013-2423, 2013). The findStaticSetter method is used to get the MethodHandle (Singh, Gomez, & Malik, 2014):

public static MethodHandle FLao() throws NoSuchFieldException, IllegalAccessException {
 return MethodHandles.lookup().findStaticSetter(Double.class, "TYPE", Class.class);
 }
 public static MethodHandle Tipi() throws NoSuchFieldException, IllegalAccessException {
 return MethodHandles.lookup().findStaticSetter(Integer.class, "TYPE", Class.class);
 }

The MethodHandle method is then set to NULL, which leads to disabling the Java security manager.

The vulnerability has been observed in the wild, in the RedKit and also Cool Exploitation Kit. In one particular malicious webpage, randsomware was the payload that was installed on the victim’s computer (Ghosh, Apr 26 2016).

CVE-2013-2465

The Abstract Window Toolkit which is Java’s windowing GUI toolkit, has some classes that handle various operations on images (Oracle Corp., “Java Platform…API Specification”).  Some of those classes are:

  • Images.java.awt.images. LookupOp
  • ConvolveOP
  • RescaleOP
  • AffineTransformOp

These classes expose the method filter():

Public final BufferedImage filter
(BufferedImage src, BufferedImage
dst)

This call is passed to the native function that performs filtering operations.  After that according to Singh, Gomez, & Malik:

“The function parses the src and dst values of the BufferedImage subclass, populating the hint object (hintP->dataOffset hint- >numChans) attached to each of them with values contained in the ColorModel and SampleModel members of the BufferedImage objects.”

Below an example of the malicious code calling the buffered subclass (Singh, Gomez, & Malik, 2014):

public static void a(DataBufferByte paramDataBuferByte)
{
 boolean bool = e.a;
 BufferedImage localBufferedImage =e.a();
 MultiPixelPackedSampleModel localMultiPixelPackedSampleModel localMultiPixelPackedSampleModel = e.b();
 a(localBufferedImage);
 AffineTransformOP localAffineTransformOp = new AffineTransformOP(new AffineTransform(1.0f, 0.0F, 0.0F, 1.0F, 0.0F, 0.0F), null);
 localAffineTransformOp.filter(localBufferedImage, new BufferedImage(new b(), Raster.createWritableRaster(localMultiPixelPackedSampleModel, paramDataBufferByte)
 if (bool)
 {
  int i = g.a;
  i++;
  g.a = i;
 }
}

No bound checks occur while the data is being copied so the vulnerable code assumes that the values of the image are the same with their corresponding rasters.  So if malicious code override the Objects values, the copying code overfills the output buffer with data causing a corrupting heap memory.  Below is an example of the malicious code with the vulnerable parameters (Singh, Gomez, & Malik, 2014):

import java.awt.imageComponentColorModel;
public class b
  extends ComponentColorModel
{
 public b()
 {
  super(new a), new int[] { 8, 8, 8 }, false, false, 1, 0);
 }
 public boolean isCompatibleRaster(Raster paramRaster)
  {
   return true;
  }

public class a
 extends ICC_Colorspace
{
public a()
 }
  super(g.a());
 }
public int getNumComponents()
 {
  return l;
 }

The vulnerability has been observed in the wild (Vulnerability Summary for CVE-2013-2465, 2013).  One exploit kit it has been seen in is White Lotus, which delivers malware in drive-by download attacks.  An example of the infection chain that has been observed in this exploit kit is when the target visits a compromised website, iframe loads in the background and after detecting the version of Java that is running, the exploit is delivered as a disguised .PNG image file (Singh, Gomez, & Malik, 2014).

Conclusion

The popularity of with the use of Java by developers and in web browser ensures that cyber criminals will continue to find new vulnerabilities and quickly develop exploits for it.  As demonstrated with some of these exploit kits, malware authors have come up with clever techniques such as using plugin-detection scripts to deliver precision attacks, delivering multiple payloads in one attack to maximize affect and deploying advance exploit chains to evade detection.  As more vulnerabilities are discovered the cyber criminals will try to exploit them.


References

( 2013 Jun. 13). Vulnerability Summary for CVE-2013-2465. National Vulnerability Database. Retrieved from https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2465

(2013 Jun. 18). Vulnerability Summary for CVE-2013-2471. National Vulnerability Database. Retrieved from https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2471

(2013 Apr. 17). Vulnerability Summary for CVE-2013-2423. National Vulnerability Database. Retrieved from https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2423

(2013). Oracle Java SE Critical Patch Update Advisory – June 2013. Oracle Corp. Retrieved from http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

(2016). Learn About Java Technology. Oracle Corp. Retrieved from http://www.java.com/en/about/

(2016). Java Platform, Standard Edition 7: API Specification. Oracle Corp. Retrieved from http://docs.oracle.com/javase/7/docs/api/overview-summary.html

(2013 Aug. 14). CVE-2013-2465/CVE-2013-2471/CVE-2013-2463 integrating Exploit Kits — jre7u21 CVE- jre6u45 and earlier. Maleware Don’t Need Coffee. [Weblog]. Retrieved from http://malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html

(2013 Jul. 28).  Urausy Ransomware – July 2013 Design Refresh – “Summer 2013 Collection”. Maleware Don’t Need Coffee. [Weblog]. Retrieved from http://malware.dontneedcoffee.com/2013/07/urausy-ransomware-july-2013-design.html

Singh, A & Gomez, J. & Malik, A. FireEye. (2014). Brewing Up Trouble: Analyzing Four Widely Exploited Java Vulnerabilities. Milpitas, CA: FireEye, Inc. Retrieved from https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-java-vulnerabilities.pdf

Ghosh A. (2013 Apr 26). “K.I.A. – Java CVE 2013-2423 Via New and Improved Cool EK”. Invincea. Retrieved from https://www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/