CVE-2010-0840 (Trusted Methods) Exploit Artifacts

Monday, March 21, 2011 Posted by Corey Harrell 0 comments
Artifact Name

CVE-2010-0840 (Trusted Methods) Exploit Artifacts

Attack Vector Category

Exploit

Description

Vulnerability present in the code responsible for privileged execution of methods affects Oracle Java 6 prior to update 19 and 5 prior to update 23. Exploitation allows for the execution arbitrary code under the context of the currently logged on user.

Attack Description

This description was obtained using the Metasploit exploit reference and it involves having a user visit a malicious website.

Exploits Tested

Metasploit v3.6 multi\browser\java_trusted_chain

Target System Information

* Windows XP SP3 Virtual Machine with Java 6 update 16 using administrative user account

* Windows XP SP3 Virtual Machine with Java 6 update 16 using non-administrative user account

Different Artifacts based on Administrator Rights

No

Different Artifacts based on Software Versions

Not tested

Potential Artifacts

The potential artifacts include the CVE 2010-0840 exploit and the changes the exploit causes in the operating system environment. The artifacts can be grouped under the following three areas:

     * Temporary File Creation
     * Indications of the Vulnerable Application Executing
     * Internet Activity

Note: the documenting of the potential artifacts attempted to identify the overall artifacts associated with the vulnerability being exploited as opposed to the specific artifacts unique to the Metasploit. As a result, the actual artifact storage locations and filenames are inside of brackets in order to distinguish what may be unique to the testing environment.

     * Temporary File Creation

          -JAR file created in a temporary storage location on the system within the timeframe of interest. [C:/Documents and Settings/Administrator/Local Settings/Temp/jar_cache3590475423724669955.tmp. The contents of the JAR file contained a manifest file and one class file was detected as the CVE 2010-0840 exploit. There were other class files whose md5 hash was not present in VirusTotal database.

     * Indications of the Vulnerable Application Executing

          - Log files indicating Java was executed within the timeframe of interest. [C:/Documents and Settings/Administrator/Application Data/Sun/Java/Deployment/deployment.properties, C:/Documents and Settings/Administrator/Local Settings/Temp/java_install_reg.log, and C:/Documents and Settings/Administrator/Local Settings/Temp/jusched.log] The picture below shows the contents of the java_install_reg.log file.

          - Prefetch files of Java executing. [C:/WINDOWS/Prefetch/JAVA.EXE-0C263507.pf]

          - Registry modification involving Java executing. [HKCU-Admin/Software/JavaSoft/Java Update/Policy/JavaFX]

          - Folder activity involving the Java application. [C:/Program Files/Java, C:/Documents and Settings/Administrator/Application Data/Sun/Java/Deployment/cache/, and C:/Documents and Settings/Administrator/Local Settings/Temp/hsperfdata_username]

     * Internet Activity

          - Web browser history of user accessing websites within the timeframe of interest. [Administrator user account accessed the computer -192.168.11.200- running Metasploit]

          - Activity involving the Temporary Internet Files folder. [C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files]

Timeline View of Potential Artifacts

The images below shows the above artifacts in a timeline of the file system from the Windows XP SP3 system with an administrative user account. The timeline includes the file system, registry, and Internet Explorer history entries.





References

Vulnerability Information

Mitre’s CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0840

NIST National Vulnerability Database http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0840

Zero Day Initiative http://www.zerodayinitiative.com/advisories/ZDI-10-056/

SecurityFocus http://www.securityfocus.com/bid/39065

Exploit Information

Metasploit Exploit http://www.metasploit.com/modules/exploit/multi/browser/java_trusted_chain

CVE-2010-0094 (RMIConnectionImpl) Exploit Artifacts

Saturday, March 12, 2011 Posted by Corey Harrell 2 comments
Artifact Name

CVE-2010-0094 (RMIConnectionImpl) Exploit Artifacts

Attack Vector Category

Exploit

Description

Vulnerability present within the deserialization of RMIConnectionImpl objects affects Oracle Java 6 Update 18 and 5.0 Update 23 and earlier versions on Windows, Solaris and Linux systems. Exploitation allows for the execution of arbitrary code under the context of the currently logged on user.

Attack Description

This description was obtained using the Zero Day Initiative reference and it consists of having a user visit a malicious website.

Exploits Tested

Metasploit v3.6 multi\browser\java_rmi_connection_impl

Target System Information

* Windows XP SP3 Virtual Machine with Java 6 update 16 using administrative user account

* Windows XP SP3 Virtual Machine with Java 6 update 16 using non-administrative user account

Different Artifacts based on Administrator Rights

No

Different Artifacts based on Software Versions

Not tested

Potential Artifacts

The potential artifacts include the CVE 2010-0094 exploit and the changes the exploit causes in the operating system environment. The artifacts can be grouped under the following three areas:

     * Temporary File Creation
     * Indications of the Vulnerable Application Executing
     * Internet Activity

Note: the documenting of the potential artifacts attempted to identify the overall artifacts associated with the vulnerability being exploited as opposed to the specific artifacts unique to the Metasploit. As a result, the actual artifact storage locations and filenames are inside of brackets in order to distinguish what may be unique to the testing environment.

     * Temporary File Creation

          - JAR file created in a temporary storage location on the system within the timeframe of interest. [C:/Documents and Settings/Administrator/Local Settings/Temp/jar_cache8659615251018636226.tmp. The contents of the JAR file contained a manifest file and other files which were detected as the CVE-2010-0094 exploit. Exploit.class and PayloadClassLoader.class are two of the files detected as containing the exploit.

     * Indications of the Vulnerable Application Executing

          - Log files indicating Java was executed within the timeframe of interest. [C:/Documents and Settings/Administrator/Application Data/Sun/Java/Deployment/deployment.properties, C:/Documents and Settings/Administrator/Local Settings/Temp/java_install_reg.log, and C:/Documents and Settings/Administrator/Local Settings/Temp/jusched.log] The picture below shows the contents of the deployment.properties file.

          - Prefetch files of Java executing. [C:/WINDOWS/Prefetch/JAVA.EXE-0C263507.pf]

          - Registry modification involving Java executing. The last write time on the registry key is the same thime that is reflected in the jusched.log file. [HKLM-Admin/Software/JavaSoft/Java Update/Policy/JavaFX. One of the entries in the jusched.log file was "SetDefaultJavaFXUpdateSchedule: Frequency:16, Schedule: 3:52" and this occurred when the registry key was modified]

          - Folder activity involving the Java application. [C:/Program Files/Java/jre6/, C:/Documents and Settings/Administrator/Application Data/Sun/Java/Deployment/cache/, and C:/Documents and Settings/Administrator/Local Settings/Temp/hsperfdata_username]

     * Internet Activity

          - Web browser history of user accessing websites within the timeframe of interest. [Administrator user account accessed the computer -192.168.11.200- running Metasploit]

          - Files located in the Temporary Internet Files folder. [C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/]

Timeline View of Potential Artifacts

The images below shows the above artifacts in a timeline of the file system from the Windows XP SP3 system with an administrative user account. The timeline includes the filesystem, registry, event logs, and Internet Explorer history entries.





References

Vulnerability Information

Mitre’s CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0094

NIST National Vulnerability Database http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0094

Zero Day Initiative http://www.zerodayinitiative.com/advisories/ZDI-10-051/

Exploit Information

Metasploit Exploit Information http://www.metasploit.com/modules/exploit/multi/browser/java_rmi_connection_impl

Smile for the Camera

Sunday, March 6, 2011 Posted by Corey Harrell 2 comments
What's one of the new forensic artifacts a Kinect leaves on the Xbox 360 which may be beneficial to an investigation? Depending on the game or application using the Kinect, there could be photographic evidence and this evidence could be used to determine the person using Xbox, the other people in a room, or the state of a room over a period of time. The corporate environment doesn't deploy gaming systems to support the business so I won't come across the Kinect's photographic evidence until the technology has a business use for the Windows computer. The topic of this post is a little different than my usual content but there's a Kinect in my house and I wanted to find the photos or videos created by any of the Kinect games.

What is the Kinect?

The Kinect is a peripheral for the Xbox 360 and according to Microsoft it is a "controller-free gaming means full body play". The Kinect senses body movement and this movement lets people interact with the Xbox whether if it's playing a game or watching a movie. The Kinect was a Christmas present to my entire family and if you do your research on the games then it really does work as advertised. I spike volleyballs by jumping in the air, my teenager scores goals by kicking a soccer ball, and my three year old runs in place while jumping over hurdles as he races down the track. Gaming systems have come a long way since my days of playing Contra and Super Mario Brothers using a controller with two buttons and a directional pad.

The Wired article How Motion Detection Works in Xbox Kinect describes the Kinect technology including the camera that's a part of the hardware. There are a few games that make use of the camera for entertainment purposes by providing slideshows of everyone who played the games. Certain games even store the captured pictures so people can access them at a later time.

Accessing the Multimedia the Xbox Way

Kinect Adventures comes bundled with the Kinect and this is one of the games which take pictures during game play. Kinect Adventures stores the pictures on the Xbox's hard drive and people can view the photos at a later time. The game's menu is used to access any of the created photos as opposed to the Xbox menu. The photos can be uploaded to websites and services such as Kinectshare.com. I uploaded a few Kinect Adventures photos to Kinectshare. The image below shows which games support Kinectshare and as you can see the Kinect Adventures game has uploaded photos (yup, that's my mug on the camera).

The pictures can be uploaded to Facebook, printed, or downloaded using Kinectshare. This is a downloaded picture with one of my sons.

Accessing the Multimedia the Post-mortem Way

An investigation may have some issues trying to use the photos or videos uploaded to Kinectshare. The first issue is Kinectshare uses the Windows Live ID associated with the Xbox live gamertag which will make it harder to access the uploaded files since the site is password protected. The second issue is the files are automatically deleted after 14 days which limits the timeframe of when the files can be accessed. Both of these issues can be avoided by directly accessing the Kinect multimedia stored on the Xbox's hard drive.

I mentioned previously I don't examine Xboxes but I was interested in the gaming photos. This post isn't intended to cover how to perform Xbox 360 examinations. If anyone is looking for this type of information there's a book called Xbox 360 Forensics published by Syngress (I came across this book while writing this post).

Right off the bat I found out that FTK imager and Encase don't display the partitions on the Xbox hard drive. A few quick Google searches not only provided me with a program to browse the hard drive but the searches also explained the folder structure. The folder structure stores content in a global area that applies to all users and content is stored in each user account's profile. The global area is located at /partition3/content/0000000000000000/TITLEID/OFFERID/ while the content in the user profiles are located at /partition3/content/PROFILEID/TITLEID/OFFERID/. The PROFILEID is the ID of the user account, the TITLEID is the name of game or application that created the folder, and the OFFERID is the type of content the folder stores. I used Kingla's Xbox 360 HDD Folder List website to determine the TITLEID and OFFERID. The picture below shows the global content for my Xbox and the Kinect games' folders are 4D5308ED (Kinect Adventures), 4D5308C9 (Kinect Sports), and 545607D3 (Dance Central).

The Kinect Adventures photos are located in the global folder 4D5308ED. There were two content folders with one for photos (OFFERID 000000001) and the other for videos (OFFERID 00090000). The videos folder didn't contain any videos of people playing the Kinect. However, there were numerous photos stored in the 000000001 folder as illustrated below.

The names of the files are based on the date and time of when they were created. It doesn't help much in my case since the Xbox's time was wrong. The files contain the Kinect Adventures photos as well as additional data. Examining the files I noticed some consistent file offsets containing data.

          * File offset 5778: name of the game and the data was K•i•n•e•c•t• •A•d•v•e•n•t•u•r•e•s
          * File offset 5914: PNG image and the image was an icon
          * File offset 22298: Same PNG image of an icon
          * File offset 49152: file name and the data was M9_0_2005_11_22_7_9_38_784
          * File offset 53328: JPG image which is the Kinect photo

I used a hex editor to copy out all of the data for the JPG image. As illustrated below the start of the JPG image is at file offset 53328.

The JPG data was copied and saved as a new file with a jpg file extension. The image was the Kinect photo showing my three year old playing Kinect Adventures while my teenager waits on the couch.

What's Next

Only certain games or applications create videos or photos with the Kinect. Kinect Adventures is one of the games that do and this game comes bundled with the Kinect. As I said before, this technology hasn't reached the corporate environment yet but I think it's only a matter of time before it does. A quick Google search provides a ton of hits of how various people adopted the Kinect technology for other uses including controlling a Windows 7 computer. Winrumors.com posted that Microsoft is going to be releasing its own Windows based Kinect SDK in the spring amid a growing community of "Kinect hackers". This could be the beginning of this technology extending beyond gaming and research to serve other purposes more suitable for the corporate environment. Time will tell what new forensic artifacts this technology will bring and how beneficial the artifacts are to an investigation.
Labels: ,