CVE 2012-4681, by O. Oigiagbe & R. Patterson.

CVE2012-4681

 

Ogbeide Derrick Oigiagbe

Towson University

Mathematics and Computer Science Security Track

derrickoigiagbe@gmail.com

 

Rayvorn Patterson

Towson University

Computer Science

Security Track

rayvorn@gmail.com

ABSTRACT

In this paper, we describe the effects of being exploited by
the CVE2012-4681 vulnerability (Java 7 Applet Remote Code Execution).

Categories and Subject Descriptors

D.4[Windows 7]: Desktop Operating System- A user centric
operating system based on personal computing.

D.4.6[Invasive software]: Malicious computer software: Software that
gains access to a system.

General Terms

Measurement, Documentation, Experimentation, and Security

Keywords

CVE2012-4681, Java 7 Applet
Remote Code Execution, Security, Exploit, Analysis, Oracle

1.) INTRODUCTION

This paper details the aftermath of executing of the CVE2012-4681 vulnerability. We
intend to explain in great detail the effects of this vulnerability on a victimized system.

To fully understand the effects of the CVE2012-4681 vulnerability, we must first
understand the exploit and the different payloads used.

1.1) Introduction to CVE 2012-4681

According to CVE-MITRE “In oracle, the Java Runtime Environment, Java SE7 Update 6 and
have been susceptible to multiple exploits. This has made it difficult for Security Manger to detect well crafted applets that permit remote attacks to execute arbitrary code. This remote attacks gains access to restricted classes from packages like the sun.awt.SunToolKit by using the com.sun.beans.finder.ClassFinder.findClass which leverages an execption with the forName method to gain access.”[18] The arbitrary remote code execution allows the attacker to run commands under the privilege of the user being attacked. This however does not give the attacker escalated privileges.

1.2) Introduction to Meterpreter

“Meterpreter, short for The Meta-Interpreter is an advanced payload that is included in the Metasploit Framework.Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assembly. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared object (DLL) files that can be uploaded and injected into a running process on a target computer…” [19]

This particular payload is often detectable by various intrusion detection systems because of its commonality in the Metasploit framework. This allows us to be able to detect the effect of the payload on the victimized machine.

2.) Lab Setup

We have set up a number of machines to test the CVE 2012-4681 Java 7 Applet Remote Code Execution vulnerability. The Lab setup consists of:
•1 Windows 7 enterprise host machine for
all virtual machines.
•1 XUbuntu
Security Onion virtual machine used as a sensor and for analysis.
•1 Windows 7 virtual machine used as a victim.
•1 CentOS physical laptop used for analysis.
•1 Backtrack physical laptop used for exploiting the victim machine.

3.) OSSEC

“OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It integrates log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.” [1] We plan on using Ossec to find any artifacts left by the exploit on the victim’s machine.

To analyze our Ossec results we use Sguil. Sguil (pronounced sqweel) is a front end tool that works with Ossec to analyze network traffic. By using Sguil our results are clearly displayed from only our victim’s machine in a format that is easily understood.

Originally Security Onion had Ossec version 2.5.1 installed; however this is an older outdated version of Ossec. We then proceeded to update Ossec to version 2.6 the most recent update at the time of this writing. After updating Ossec and making sure that the agent on our victim machine is connected to our Ossec server, we performed the
exploit.

We first carry out the CVE 2012-4681 Java 7 Applet Remote Code Execution vulnerability with the java Meterpreter payload. The results are unexpected because we obtain no alerts as seen below we only obtain the initial startup of the agent.

We then exploit the machine again. This time with the windows meterpreter payload and the result is exactly the same as before. There is no indication from Ossec that the machine has been exploited. This suggested that Ossec was unable to provide any significant information based on the exploit used or the payloads that were used.

4.) REGISTRY

Regshot was used for our Registry analysis. “Regshot is an open-source (LGPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one”. [22] Regshot allows us to take a narrowed down look at the keys that may be changed from the exploit. We simply take a shot before the exploit, exploit the machine then take a shot afterwards.

Furthermore, with Regshot we monitored the registry for both the java and windows payloads. In both scenarios, certain keys were added. However, it is not clear as to whether these keys can serve as a clear indicator of the Meterpreter payload or the Java 7 Applet Remote Code Execution vulnerability. But it is important to note that after multiple exploits various keys change. At the end of our paper we detail the changes in the registry.

5.)WIRESHARK

“Wireshark is the world’s foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network.” [23]

Wireshark was used as our packet analysis tool during this project because of its ease of use and many features. We start Wireshark slightly before the exploit and
find that there are some obviously malicious packets being sent as scene below:

From the wireshark snapshot above, you can identify that there is a connection established to an apache server which is kept alive. This packet is obviously malicious due to its contents of Exploit.jar and Exploit.class contained within the applet.

6.) SNORT

“Snort® is an open source network intrusion prevention and detection system (IDS/IPS)… [That combines] the benefits of signature, protocol, and anomaly-based inspection.”[3]

We used Snort as the intrusion detection system on a virtual machine that is configured with a XUbuntu operating system called Security Onion. We used Snort version 2.9.2 IPv6 GRE (Build 78). This version of snort is set up with pulled pork to automatically get rule updates.

6.1) Security Onion

Security Onion automatically downloads a new set of rules during setup from emerging threats every day at 7:01 am [17]. The download file of the rules is also located in a different directory path that is “/etc/nsm/rules”. Security Onions setup also configures Snorby to allow you to view your results.

6.2) Snorby

“Snorby is a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan).” [5]

Snorby was used in this research to view alerts from emerging threats’ rule set after the exploitation. The following results are obtained.

Windows Meterpreter payload: Due to space allocation please
reference table 1 at the end of this document.

Java Meterpreter payload: Due to space allocation please
reference table 2 at the end of this document.

7.) PROCESS EXPLORER

“Process Explorer shows you information about which handles and DLLs processes have opened or loaded.” “The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems… and provide insight into the way Windows and applications work.”[7]

Process explorer is used in our research to explore what may be a malicious processes and how they function. This took into account the two malicious payloads, the java Meterpreter and the Windows Meterpreter.

7.1) Windows Meterpreter Processes

There are four malicious processes that are added to the windows machine after the exploit. The first process has a randomized name that always has a unique description that says “ApacheBench command line utility.” The second is a normal windows process called conhost.exe. The third process is called jp2launcher.exe and possesses a child process called java.exe. The fourth process is the child process of jp2launcher.exe which is called java.exe.

The first gives an interesting description in the Windows task manager that says “ApacheBench command line utility”. We know that no Windows machine should be running apache and it also has various suspicious properties. These properties include some interesting modules such as: wsock32.dll, WSHTCPIP.DLL, ws2_32.dll, wininet.dll, rpcrt4.dll, oEnTEXyW.exe, and mswsock.dll. We further investigate these modules by using Process Explorer’s search online functionality and find the following
information:
•wsock32.dll – This module may be considered
suspicious because it is used for applications with internet connection. This would normally be fine however if the process is migrated to a non-networked application it immediately draws attention.[9]
•WSHTCPIP.DLL – “The module is also known as the WinSock 2.0”. [10] This is another socket DLL controlling connectivity to outside interfaces.
•ws2_32.dll – This module is similar to the wsock32.dll in which it is used for internet and network applications.[11]
•wininet.dll – This module is considered a malicious module. It too contains functions for Internet use. However it is a process which the Troj/Zlob-AO trojan tries to disguise itself as under the true process name of %systemroot%. This is considered a security risk.[12]
•rpcrt4.dll – This module is suspicious because it is a remote procedure call used by windows applications for network and internet communication. With this process grouped with all of the other network modules the process is looking more suspicious. [13]
•oEnTEXyW.exe – This is a malicious process. We
have researched the Meterpreter shell and it creates a process like this that has a path like C:\Users\newuser\AppData\Local\Temp\~spawn5451488794421801183.tmp.dir\oEnTEXyW.exe. We have realized that this path with “spawn” in it with randomization is malicious.
•mswsock.dll – This is another networking module that is an extension of Winsock. If this process is migrated to a non-networking process such as notepad this becomes suspicious. [14]

The second process conhost.exe is interesting because this
process handles the windows command line. This can be seen by looking at the
process properties in process explorer and clicking the environment tab. Note
that the ComSpec is set to cmd.exe. [24]

The windows Meterpreter payload
also spawns the process called jp2launcher.exe and a sub process called java.exe
that is the child of jp2launcher.exe. These processes will be discussed in more
detail in the Malicious Java Processes section.

7.2) Java Meterpreter Processes

There are four malicious java processes that are created through the reverse TCP Meterpreter payload. The first process is called jp2launcher. This process is the parent process of the second process which is called java.exe. The third process is similarly called java.exe however this process takes up more memory than the other java.exe process and handles each individual Meterpreter session. The last process is called conhost.exe and this has been thoroughly discussed in the Non-Migrated Windows Processes section.

First let’s look at the parent process of the smaller java.exe process, the jp2launcher.exe process. This process contains one of the modules we have already explored in the Non-Migrated Windows Process section, which is called rpcrt4.dll. There are also some new modules that may prove to be suspicious including: mpr.dll, and jp2launcher.exe. Let us look at these processes in more detail:

We shall start by looking at mpr.dll. This process uses functions that are used to handle communication between the Windows operating system and the installed network providers [15]. Again, this process may be considered malicious of this process is migrated to a non-networking process.

The next module we shall look at is called jp2launcher.exe. This module becomes active when you attempt to remote or use java to connect to remote locations [16]. This may be a malicious process because your application is remotely connecting to another machine. This can even be considered suspicious to certain networking processes.

Next we shall look at the smaller java.exe process. This process is the child of the jp2launcher process. This process contains some of the modules we have already explored: rpcrt4.dll, jp2launcher.exe. There are also some new modules that may prove to be malicious including: mpr.dll and classes.jsa.

The module mpr.dll uses functions used to handle communication between the Windows operating system and the installed network providers. This could also possibly be noted as malicious if attached to a non-networking process.

The module classes.jsa is suspicious because it is not a known module and is located in the Files\Java\jre7\bin\client\classes.jsa directory.

Last we shall look at the larger java.exe process. We know this process handles each individual Meterpreter session because after killing this process the session dies. Also after initiating a new session (going to the malicious site), we find that only this process is created. However the other two processes are created if they have been killed.

7.3) Migrated Processes

For Migrated Malicious Processes, the processes associated with the malicious programs switch over to non-malicious programs. To test this we use the Windows Meterpreter as a case study, note that this concept is the same for the Java Meterpreter processes. For example if we look at the regular notepad process we will see some similarities which are to be expected. However, the malicious notepad process will have these regular notepad modules and the ones that are shown in the non-migrated malicious windows process section. This shows how the previously mentioned modules may be considered malicious because if they are migrated to a non-networking process like notepad it gives extra attributes not originally found in that process.

8.) WINDOWS LOGS

First we clear all Windows logs so we know what is specific
to this exploit and payload. After this we execute the
CVE2012-4681vulnerability with the windows Meterpreter
reverse TCP payload. We receive two logs in the security logs and one log in
the system logs. The security logs receive an alert for a logon and a special
logon as seen below:

First let us take a look at the Logon entry in the Logs. The logon user is WIN7$ for the regular logon. It logs on using logon type five or a service logon. The log also shows that it is using a well-known SID that is S-1-5-18. S-1-5-18 is and SID that indicates it is a local system service account used by the operating system. We also see in the logs that the process logon name is advapi.exe. By looking into this further we see that advapi.exe is a malicious process that is used for Trojans [20]. Another interesting point is that the logon GUID is blank or {00000000-0000-0000-0000-000000000000}.

Now let’s take a look at the Special Logon entry in the logs. We gain the following information:

In this we see the assigning of new privileges the new logon.

In the System logs we only have one event that only tells us that a service has started to run.

When we execute the same exploit however, this time using the java meterpreter
payload we get nothing in the Microsoft Windows Logs.

9.) ACKNOWLEDGMENTS

Thanks to Greg Kuruc, Johnathan Fragale, Mark Olsen, and Dennis Hayden for collaborating with our research and providing material for this paper. We also appreciate Dr. Michael O’leary our advisor for this research project and his guidance.

10.) REFERENCES

1.Ossec. (n.d). About. In Ossec. Retrieved September 21, 2012, from http://www.ossec.net/?page_id=4
2.Wireshark. (n.d). About. In Wireshark.
Retrieved September 21, 2012, from http://www.wireshark.org/about.html.
3.Snort. (n.d). About. In Snort. Retrieved September 21, 2012, from http://www.snort.org/snort.
4.Security Onion. (n.d). FAQ. In Google. Retrieved September 21,2012, from http://code.google.com/p/security-onion/wiki/FAQ.
5.Snorby. (n.d). Ruby On Rails For Network Security Monitoring. In Snorby. Retrieved September 21, 2012, from http://snorby.org/.
6.Mark Russinovich, Bryce Cogswell. (July 16, 2012). Process Monitor v3.03. In Microsoft. Retrieved September 21, 2012, from http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx.
7.Mark Russinovich. (July 16, 2012). Process Explorer v15.22. In Microsoft. Retrieved September 21, 2012, from http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx.
8.Tripwire. (n.d). Tripwire VIA Platform: Connect Protect Detect. In Tripwire. Retrieved September 21, 2012, from http://www.tripwire.com/it-security-software/
9.Uniblue. (n.d). wsock32.dll. Process Library. Retrieved September
17, 2012 from http://www.processlibrary.com/directory/files/wsock32/24607/
10.Microsoft Corp. (n.d). Windows XP DLL File Information – wshtcpip.dll . In Nirsoft. Retrieved October 8, 2012, from http://xpdll.nirsoft.net/wshtcpip_dll.html.
11.Uniblue. (n.d). ws2_32.dll. Process Library. Retrieved September 17,
2012 from http://www.processlibrary.com/directory/files/ws2_32/24187/
12.Uniblue. (n.d). wininet.dll. Process Library. Retrieved September 17,
2012 from http://www.processlibrary.com/directory/files/wininet/25271/
13.Uniblue. (n.d). rpcrt4.dll. Process Library. Retrieved September 17,
2012 from http://www.processlibrary.com/directory/files/rpcrt4/23580/
14.Uniblue. (n.d). mswsock.dll. Process Library. Retrieved September 17,
2012 from http://www.processlibrary.com/directory/files/mswsock/21635/
15.Uniblue. (n.d). mswsock.dll. Process Library. Retrieved September 20,
2012 from http://www.processlibrary.com/directory/files/mpr/22501/
16.What is exe. (n,d). Purpose of jp2launcher.exe. What is exe. Retrieved September 20, 2012 http://www.what-is-exe.com/filenames/jp2launcher-exe.html
17.Emerging Threats. (September 21, 2012). Emerging Threats. In There are the Emerging Threats.net Open rulesets. Retrieved September 24, 2012, from https://rules.emergingthreatspro.com/.
18.CVE. (n.d). CVE-2012-4681. In Common Vulnerabilities and Exposures. Retrieved September 24, 2012, from http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681.
19.Scape. (September 12, 2004). Metasploit’s Meterpreter. In Metasploit. Retrieved September 24, 2012, from http://dev.metasploit.com/documents/meterpreter.pdf.
20.Uniblue. (n.d). advapi.exe. In Process Library. Retrieved September 26, 2012, from http://www.processlibrary.com/directory/files/advapi/21300/.
21.Andreas Viklund. (n.d). Sguil: The Analyst Console for Network Security Monitoring. In Sourceforge. Retrieved October 5, 2012, from http://sguil.sourceforge.net/.
22.Maddes. Xhmikosr. (January 23, 2012). Regshot. In Sourcefourge. Retrieved October 8, 2012, from http://sourceforge.net/projects/regshot/.
23.Wireshark. (n.d). About Wireshark. In Wireshark.
Retrieved October 8, 2012, from http://www.wireshark.org/about.html.
24.The Big Geek. (n.d). What is conhost.exe? Why is it running?. In thegeekpub. Retrieved October 9, 2012, from http://www.thegeekpub.com/548/what-is-conhost-exe-why-is-it-running/.

Table References

Table 1

•Alert Number: 1 Number of Alerts: 1 Alert Name: ET CURRENT_EVENTS landing page with malicious Java applet [sid 2014561]
Code: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”ET CURRENT_EVENTS landing page with malicious Java applet”; flow:established,from_server; file_data; content:”code=”; distance:0; content:”xploit.class”; distance:2; within:18; classtype:bad-unknown; sid:2014561; rev:2;)
•Alert Number: 2 Number of Alerts: 2 Alert Name: ET POLICY Vulnerable Java Version 1.7.x Detected [sid 2014297] [url javatester.org/version.html]
Code: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET POLICY Vulnerable Java Version 1.7.x Detected”; flow:established,to_server; content:” Java/1.7.0_0″; http_header; content:!”5″; within:1; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2014297; rev:10;)
•Alert Number: 3 Number of Alerts: 2 Alert Name: ET CURRENT_EVENTS 0day JRE 17 metasploit Exploit Class [sid 2015657] [url blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html] [url metasploit.com/modules/exploit/multu/browser/java_jre17_exec]
Code: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”ET CURRENT_EVENTS 0day JRE 17 metasploit Exploit Class”; flow:established,to_client; file_data; content:”PK”; within:2; content:”|2f|Payload.class”; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:1;)
•Alert Number: 4 Number of Alerts: 1 Alert Name: ET SHELLCODE Possible Call with No Offset TCP Shellcode [sid 2012088] [url http://www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/%5D
Code: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”ET SHELLCODE Possible Call with No Offset TCP Shellcode”; flow:established; content:”|E8 00 00 00 00 8F|”; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012088; rev:1;)
•Alert Number: 5 Number of Alerts: 1 Alert Name: GPL SHELLCODE x86 inc ebx NOOP [sid 1390] Code: alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:”SHELLCODE x86 inc ebx NOOP”; content:”CCCCCCCCCCCCCCCCCCCCCCCC”; classtype:shellcode-detect; sid:1390; rev:9;)
•Alert Number: 6 Number of Alerts: 1 Alert Name: ET SHELLCODE Possible Call with No Offset TCP Shellcode [sid 2012086] [url http://www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/%5D
Code: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”ET SHELLCODE Possible Call with No Offset TCP Shellcode”; flow:established; content:”|E8 00 00 00 00 58|”; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012086; rev:1;)

Table 2

•Alert Number: 1 Number of Alerts: 1 Alert Name: ET CURRENT_EVENTS landing page with malicious Java applet [sid 2014561]
Code: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”ET CURRENT_EVENTS landing page with malicious Java applet”; flow:established,from_server; file_data; content:”code=”; distance:0; content:”xploit.class”; distance:2; within:18; classtype:bad-unknown; sid:2014561; rev:2;)
•Alert Number: 2 Number of Alerts: 2 Alert Name: alerts of: ET POLICY Vulnerable Java Version 1.7.x Detected [sid 2014297] [url javatester.org/version.html]
Code: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET POLICY Vulnerable Java Version 1.7.x Detected”; flow:established,to_server; content:” Java/1.7.0_0″; http_header; content:!”5″; within:1; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2014297; rev:10;)
•Alert Number: 3 Number of Alerts: 2 Alert Name: alerts of: Snort Alert [1:2015657:0] [sid 2015657]
Code: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”ET CURRENT_EVENTS 0day JRE 17 metasploit Exploit Class”; flow:established,to_client; file_data; content:”PK”; within:2; content:”|2f|Payload.class”; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:1;)
•Alert Number: 4 Number of Alerts: 4 Alert Name: alerts of: ET TROJAN Metasploit Meterpreter stdapi_* Command Request [sid 2014530]
Code: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”ET TROJAN Metasploit Meterpreter stdapi_* Command Request”; flow:established; content:”|00 01 00 01|stdapi_”; offset:12; depth:11; classtype:successful-user; sid:2014530; rev:3;)
•Alert Number: 5 Number of Alerts: 2 Alert Name: alerts of: ET TROJAN Metasploit Meterpreter stdapi_* Command Response [sid 2014532]
Code: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Metasploit Meterpreter stdapi_* Command Response”; flow:established; content:”|00 01 00 01|stdapi_”; offset:11; depth:11; classtype:successful-user; sid:2014532; rev:3;)