Java Signed Applet Exploit Artifacts
Thursday, October 13, 2011
Artifact Name
Java Signed Applet Exploit Artifacts
Attack Vector Category
Exploit
Description
A signed Java applet is presented to a user and a dialog box asks the user if they trust it. If the user is socially engineered to run the applet then arbitrary code executes under the context of the currently logged on user.
Attack Description
This description was obtained using the Metasploit exploit reference. A user visits a web page hosting the signed Java applet and a Java window pops up asking the user to run the applet. Once the user runs it then a program is downloaded and executed on the system.
Exploits Tested
Metasploit v4.0 multi\browser\java_signed_applet
Target System Information
* Windows XP SP3 Virtual Machine with Java 6 update 16 using administrative user account
* Windows XP SP3 Virtual Machine with Java 6 update 16 using non-administrative user account
Different Artifacts based on Administrator Rights
No
Different Artifacts based on Software Versions
Not tested
Potential Artifacts
The potential artifacts include a Jar file and the changes the exploit causes in the operating system environment. The artifacts can be grouped under the following three areas:
* Temporary File Creation
* Indications of the Vulnerable Application Executing
* Internet Activity
Note: the documenting of the potential artifacts attempted to identify the overall artifacts associated with the vulnerability being exploited as opposed to the specific artifacts unique to the Metasploit. As a result, the actual artifact storage locations and filenames are inside of brackets in order to distinguish what may be unique to the testing environment.
* Temporary File Creation
-JAR file created in a temporary storage location on the system within the timeframe of interest. [C:/Documents and Settings/Administrator/Local Settings/Temp/jar_cache5490377340104033776.tmp. The contents of the JAR file contained a manifest file, a class file, and an executable.
* Indications of the Vulnerable Application Executing
- Log files indicating Java was executed within the timeframe of interest. [C:/Documents and Settings/Administrator/Application Data/Sun/Java/Deployment/deployment.properties, C:/Documents and Settings/Administrator/Local Settings/Temp/java_install_reg.log, and C:/Documents and Settings/Administrator/Local Settings/Temp/jusched.log] The picture below shows the contents of the deployment.properties log.
- Prefetch files of Java executing. [C:/WINDOWS/Prefetch/JAVA.EXE-0C263507.pf]
- Registry modification involving Java executing at the same time as reflected in the jusched.log file. [HCU-Admin/Software/JavaSoft/JavaUpdate/Policy/JavaFX]
- Folder activity involving the Java application. [C:/Program Files/Java, C:/Documents and Settings/Administrator/Application Data/Sun/Java/Deployment/, and C:/Documents and Settings/Administrator/Local Settings/Temp/hsperfdata_username]
* Internet Activity
- Web browser history of user accessing websites within the timeframe of interest. [Administrator user account accessed the computer -192.168.11.200- running Metasploit]
- Files located in the Temporary Internet Files folder. [C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/]
- Registry activity involving Internet Explorer
Timeline View of Potential Artifacts
The images below shows the above artifacts in a timeline of the file system from the Windows XP SP3 system with an administrative user account. The timeline includes the file system, registry, prefetch, event logs, and Internet Explorer history entries.
References
Exploit Information
Metasploit Exploit Information http://www.metasploit.com/modules/exploit/multi/browser/java_signed_applet
Java Signed Applet Exploit Artifacts
Attack Vector Category
Exploit
Description
A signed Java applet is presented to a user and a dialog box asks the user if they trust it. If the user is socially engineered to run the applet then arbitrary code executes under the context of the currently logged on user.
Attack Description
This description was obtained using the Metasploit exploit reference. A user visits a web page hosting the signed Java applet and a Java window pops up asking the user to run the applet. Once the user runs it then a program is downloaded and executed on the system.
Exploits Tested
Metasploit v4.0 multi\browser\java_signed_applet
Target System Information
* Windows XP SP3 Virtual Machine with Java 6 update 16 using administrative user account
* Windows XP SP3 Virtual Machine with Java 6 update 16 using non-administrative user account
Different Artifacts based on Administrator Rights
No
Different Artifacts based on Software Versions
Not tested
Potential Artifacts
The potential artifacts include a Jar file and the changes the exploit causes in the operating system environment. The artifacts can be grouped under the following three areas:
* Temporary File Creation
* Indications of the Vulnerable Application Executing
* Internet Activity
Note: the documenting of the potential artifacts attempted to identify the overall artifacts associated with the vulnerability being exploited as opposed to the specific artifacts unique to the Metasploit. As a result, the actual artifact storage locations and filenames are inside of brackets in order to distinguish what may be unique to the testing environment.
* Temporary File Creation
-JAR file created in a temporary storage location on the system within the timeframe of interest. [C:/Documents and Settings/Administrator/Local Settings/Temp/jar_cache5490377340104033776.tmp. The contents of the JAR file contained a manifest file, a class file, and an executable.
* Indications of the Vulnerable Application Executing
- Log files indicating Java was executed within the timeframe of interest. [C:/Documents and Settings/Administrator/Application Data/Sun/Java/Deployment/deployment.properties, C:/Documents and Settings/Administrator/Local Settings/Temp/java_install_reg.log, and C:/Documents and Settings/Administrator/Local Settings/Temp/jusched.log] The picture below shows the contents of the deployment.properties log.
- Prefetch files of Java executing. [C:/WINDOWS/Prefetch/JAVA.EXE-0C263507.pf]
- Registry modification involving Java executing at the same time as reflected in the jusched.log file. [HCU-Admin/Software/JavaSoft/JavaUpdate/Policy/JavaFX]
- Folder activity involving the Java application. [C:/Program Files/Java, C:/Documents and Settings/Administrator/Application Data/Sun/Java/Deployment/, and C:/Documents and Settings/Administrator/Local Settings/Temp/hsperfdata_username]
* Internet Activity
- Web browser history of user accessing websites within the timeframe of interest. [Administrator user account accessed the computer -192.168.11.200- running Metasploit]
- Files located in the Temporary Internet Files folder. [C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/]
- Registry activity involving Internet Explorer
Timeline View of Potential Artifacts
The images below shows the above artifacts in a timeline of the file system from the Windows XP SP3 system with an administrative user account. The timeline includes the file system, registry, prefetch, event logs, and Internet Explorer history entries.
References
Exploit Information
Metasploit Exploit Information http://www.metasploit.com/modules/exploit/multi/browser/java_signed_applet
Labels:
attack vectors,
exploits,
java
Posts
