CVE-2010-0840 (Trusted Methods) Exploit Artifacts
Monday, March 21, 2011
Artifact Name
CVE-2010-0840 (Trusted Methods) Exploit Artifacts
Attack Vector Category
Exploit
Description
Vulnerability present in the code responsible for privileged execution of methods affects Oracle Java 6 prior to update 19 and 5 prior to update 23. Exploitation allows for the execution arbitrary code under the context of the currently logged on user.
Attack Description
This description was obtained using the Metasploit exploit reference and it involves having a user visit a malicious website.
Exploits Tested
Metasploit v3.6 multi\browser\java_trusted_chain
Target System Information
* Windows XP SP3 Virtual Machine with Java 6 update 16 using administrative user account
* Windows XP SP3 Virtual Machine with Java 6 update 16 using non-administrative user account
Different Artifacts based on Administrator Rights
No
Different Artifacts based on Software Versions
Not tested
Potential Artifacts
The potential artifacts include the CVE 2010-0840 exploit and the changes the exploit causes in the operating system environment. The artifacts can be grouped under the following three areas:
* Temporary File Creation
* Indications of the Vulnerable Application Executing
* Internet Activity
Note: the documenting of the potential artifacts attempted to identify the overall artifacts associated with the vulnerability being exploited as opposed to the specific artifacts unique to the Metasploit. As a result, the actual artifact storage locations and filenames are inside of brackets in order to distinguish what may be unique to the testing environment.
* Temporary File Creation
-JAR file created in a temporary storage location on the system within the timeframe of interest. [C:/Documents and Settings/Administrator/Local Settings/Temp/jar_cache3590475423724669955.tmp. The contents of the JAR file contained a manifest file and one class file was detected as the CVE 2010-0840 exploit. There were other class files whose md5 hash was not present in VirusTotal database.
* Indications of the Vulnerable Application Executing
- Log files indicating Java was executed within the timeframe of interest. [C:/Documents and Settings/Administrator/Application Data/Sun/Java/Deployment/deployment.properties, C:/Documents and Settings/Administrator/Local Settings/Temp/java_install_reg.log, and C:/Documents and Settings/Administrator/Local Settings/Temp/jusched.log] The picture below shows the contents of the java_install_reg.log file.
- Prefetch files of Java executing. [C:/WINDOWS/Prefetch/JAVA.EXE-0C263507.pf]
- Registry modification involving Java executing. [HKCU-Admin/Software/JavaSoft/Java Update/Policy/JavaFX]
- Folder activity involving the Java application. [C:/Program Files/Java, C:/Documents and Settings/Administrator/Application Data/Sun/Java/Deployment/cache/, and C:/Documents and Settings/Administrator/Local Settings/Temp/hsperfdata_username]
* Internet Activity
- Web browser history of user accessing websites within the timeframe of interest. [Administrator user account accessed the computer -192.168.11.200- running Metasploit]
- Activity involving the Temporary Internet Files folder. [C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files]
Timeline View of Potential Artifacts
The images below shows the above artifacts in a timeline of the file system from the Windows XP SP3 system with an administrative user account. The timeline includes the file system, registry, and Internet Explorer history entries.
References
Vulnerability Information
Mitre’s CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0840
NIST National Vulnerability Database http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0840
Zero Day Initiative http://www.zerodayinitiative.com/advisories/ZDI-10-056/
SecurityFocus http://www.securityfocus.com/bid/39065
Exploit Information
Metasploit Exploit http://www.metasploit.com/modules/exploit/multi/browser/java_trusted_chain
CVE-2010-0840 (Trusted Methods) Exploit Artifacts
Attack Vector Category
Exploit
Description
Vulnerability present in the code responsible for privileged execution of methods affects Oracle Java 6 prior to update 19 and 5 prior to update 23. Exploitation allows for the execution arbitrary code under the context of the currently logged on user.
Attack Description
This description was obtained using the Metasploit exploit reference and it involves having a user visit a malicious website.
Exploits Tested
Metasploit v3.6 multi\browser\java_trusted_chain
Target System Information
* Windows XP SP3 Virtual Machine with Java 6 update 16 using administrative user account
* Windows XP SP3 Virtual Machine with Java 6 update 16 using non-administrative user account
Different Artifacts based on Administrator Rights
No
Different Artifacts based on Software Versions
Not tested
Potential Artifacts
The potential artifacts include the CVE 2010-0840 exploit and the changes the exploit causes in the operating system environment. The artifacts can be grouped under the following three areas:
* Temporary File Creation
* Indications of the Vulnerable Application Executing
* Internet Activity
Note: the documenting of the potential artifacts attempted to identify the overall artifacts associated with the vulnerability being exploited as opposed to the specific artifacts unique to the Metasploit. As a result, the actual artifact storage locations and filenames are inside of brackets in order to distinguish what may be unique to the testing environment.
* Temporary File Creation
-JAR file created in a temporary storage location on the system within the timeframe of interest. [C:/Documents and Settings/Administrator/Local Settings/Temp/jar_cache3590475423724669955.tmp. The contents of the JAR file contained a manifest file and one class file was detected as the CVE 2010-0840 exploit. There were other class files whose md5 hash was not present in VirusTotal database.
* Indications of the Vulnerable Application Executing
- Log files indicating Java was executed within the timeframe of interest. [C:/Documents and Settings/Administrator/Application Data/Sun/Java/Deployment/deployment.properties, C:/Documents and Settings/Administrator/Local Settings/Temp/java_install_reg.log, and C:/Documents and Settings/Administrator/Local Settings/Temp/jusched.log] The picture below shows the contents of the java_install_reg.log file.
- Prefetch files of Java executing. [C:/WINDOWS/Prefetch/JAVA.EXE-0C263507.pf]
- Registry modification involving Java executing. [HKCU-Admin/Software/JavaSoft/Java Update/Policy/JavaFX]
- Folder activity involving the Java application. [C:/Program Files/Java, C:/Documents and Settings/Administrator/Application Data/Sun/Java/Deployment/cache/, and C:/Documents and Settings/Administrator/Local Settings/Temp/hsperfdata_username]
* Internet Activity
- Web browser history of user accessing websites within the timeframe of interest. [Administrator user account accessed the computer -192.168.11.200- running Metasploit]
- Activity involving the Temporary Internet Files folder. [C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files]
Timeline View of Potential Artifacts
The images below shows the above artifacts in a timeline of the file system from the Windows XP SP3 system with an administrative user account. The timeline includes the file system, registry, and Internet Explorer history entries.
References
Vulnerability Information
Mitre’s CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0840
NIST National Vulnerability Database http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0840
Zero Day Initiative http://www.zerodayinitiative.com/advisories/ZDI-10-056/
SecurityFocus http://www.securityfocus.com/bid/39065
Exploit Information
Metasploit Exploit http://www.metasploit.com/modules/exploit/multi/browser/java_trusted_chain
Labels:
attack vectors,
exploits,
java