Exploits found in Java 7 Update 11 just Released to fix Zero-Days

Java Setup

Those that rushed to deploy the latest Java update to plug remote exploit vulnerability woes aren’t done yet. Looks like the exploit still exists in the new version and can be exploited by two new security vulnerabilities.

Security Explorations company founder and security researcher Adam Gowdiak released the warning today on Seclists.org Full Disclosure:

“We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21).

…As a result, two new security vulnerabilities were spotted in a recent version of Java SE 7 code and they were reported to Oracle today (along with a working Proof of Concept code).”

This is a serious concern as many companies need Java and can’t just simply “turn it off”. Hopefully another security update will be released soon.

Java Releases Zero-Day Patch – Why you Need to Install it Now

Java Setup

Java released an out-of-band patch yesterday to remedy two Zero-Day exploits. If you haven’t done so update now. The Java exploit code has been added to several underground crimeware kits rapidly accelerating its spread on the internet. The patch stops a remote exploit that would allow an attacker to run code on a system that does nothing more than browse to a malicious page. This could include a full remote shell which we will demonstrate below.

The exploit code has been publicly available for a while now and has been added to the ever popular security testing suite Metaslpoit. We will demonstrate the exploit using Backtrack 5 and the Social Engineering Toolkit.

Simply choose the “Java Applet JMX Remote Code Execution” template from the SET Browser Exploitation menu.

SET Java 0-Day

Then choose the type of shell you want to use. We just selected the Reverse Meterpreter Shell and chose the defaults for everything else.

Once SET is ready, it will execute Meterpreter and wait for an incoming connection. Now we just need to surf to the attacker machine from Windows:

Surf to page

It doesn’t seem that anything happens. No warnings or pop-ups.

But as you can see below, our Backtrack system has already sent the exploit code and created a remote session with the system:

SET Session Created

We can now view any sessions that were created. As you see below we have one active session by Fred using a computer called Freds-PC using IP Address 192.168.0.114.

We simply connect to the session with the “sessions -i” command and run “shell” to open a full remote DOS shell:

SET Windows 7 Shell

In the example above all the user did was browse to a malicious webpage. With no warning at all a full remote shell was opened on the visiting system by an attacker.

Now, let’s go to the Java Download page and download the latest update (update 11):

Java Update

Then let it install:

Java Setup Complete

Finally, let’s try surfing to the same malicious site again from our Windows 7 system and see what happens.

The webpage opens and acts like it did on the victim’s side. So far no change.

But if we look at the attacker side, we get an error message and more importantly no remote shell is opened:

After Update No Shell

That’s it! One Java update takes care of one of the nastiest Java exploits I have seen in a while.

Java seems to be a favorite target of hackers, and you never know when another Zero-Day might be discovered. If you haven’t done so all ready I highly recommend downloading and using a script blocking program like NoScript to give you some extra security and control over what scripts are allowed to run.

Windows 8 Security in Action: Part 1

Below is Part 1 of the Article “Windows 8 Security in Action” featured in this month’s issue of Hakin9 Exploiting Software:

Is Windows 8 the next operating system for your enterprise? In this article, we will take a quick look at Microsoft’s new OS – Windows 8. We will see some of the new security features that make it more secure than its predecessor Windows 7. We will also run the security through the paces and see some of the possible issues that are new to the OS and some that have carried over from previous versions of Windows. From the Backtrack 5 r3 security testing platform, the author uses the Metasploit Framework and Social Engineering Toolkit to see how Windows 8 stands up to the most common internet based threats.

Introduction

The much anticipated (and debated) next version of Windows software is set to be released on October 26, 2012. Several pre-release versions were made available, and just recently Microsoft released a 90 Day Windows 8 Enterprise RTM (Release to Manufacturer) evaluation copy.

In this article we briefly cover the new look of Windows 8, which has caused some complaints from Enterprise entities and the media alike. We will then highlight some of the new security features, and finally, put them to the test.

From the Backtrack 5 r3 security testing platform, I use the Metasploit Framework and Social Engineering Toolkit to see how Windows 8 stands up to the most common internet based threats. I also cover credential harvesting, Man-in-the-Middle and physical attacks against Microsoft’s latest OS.

So let’s get to it!

Windows 8 Overview

 

Figure 1 – The new, no longer called “Metro”, desktop

The first thing you will notice is the desktop change (Figure 1), you’re not in Kansas anymore Dorothy. Catering to the mobile touchscreen users, Microsoft has switched the desktop to this new tiled interface. This has caused a split amongst enterprise users; some seem too really like it, others want the standard desktop back.

Don’t get me wrong, the desktop we know and love is still there (Figure 2):

Figure 2 – The “classic” Windows 8 desktop

But if you notice, the start button is gone. If you move the cursor to the side of the screen the new “start menu” will appear (Figure 3):

Figure 3 – The new “Start” bar

Yes, I know it looks different doesn’t it? Clicking the Start button on this menu takes you back to the Metro interface. Apparently Microsoft wanted a consistent look across their product platform. Phones, tablets and desktops would all have the same “Metro” interface.

It is nice to know though that some things still look the same in Windows 8. The Control Panel looks pretty familiar (Figure 4):

Figure 4 – The Control Panel menu

Changes have been made on the server side also. The new Server 2012 has a GUI interface, but Microsoft is really pushing the use of Server Core edition that is configured by command line only. So if you do server work, it is time to brush up on your PowerShell.

In essence, Windows 8 really seems to be an enhanced Windows 7, with a new interface. Everything that you could do in Windows 7 is there, somewhere, it is just a matter of finding its new location.

The New Security Features

Several security improvements have been made to Windows 8, a brief list of some of the new features include:

  • Windows Defender comes pre-installed
  • Application download screening with SmartScreen
  • Protection against buffer overflow and memory corruption/ modification attacks
  • UEFI / secure boot to help prevent rootkits and bootkits
  • New password options

Let’s take a closer look at the password options and some changes in the way Microsoft handles passwords.

Password Options

You now have a couple choices for login security options (Figure 5). You can use a password like always, but there are two new options, pin and picture password.

Figure 5 – Windows 8 Account Sign-in options

The PIN option is not new to some users; just select a 4 number pin and that’s it. When you go to login the next time you will now have a choice to login via PIN number (Figure 6) or your password:

Figure 6 – Login Prompt asking for PIN

The interesting one is the Picture Password (Figure 7). It requires a touchscreen interface, but with it you get to pick a picture and create a special password all your own. Once you choose the picture you want, you then record a series of finger swipes, circles and taps that make the final password.

Figure 7 – Picture Password Creation

How cool is that?

Windows 8 Security in Action Part 2

The New Social Engineering Toolkit vs Windows 7 (and 8!)

Cyber genius David Kennedy (aka The Mad Hugger 🙂 ) and his rockstar team have done it again. Just when you thought your Anti-Virus was safe, the TrustedSec team has shown once again that pinning all your corporate security hope on AV protection alone is not a good strategy.

A ton of new features have been added (check out their video above) and some of the older features have been re-written and revamped. Making SET 4.0 codenamed “Balls of Steel” (who makes up these names??) one of the coolest pentesting tools out there.

I just had to check out the new “PyInjector” feature (injects shellcode straight into memory) and see how it fared against a fully updated Windows 7 with one of the best AV/network protection suits installed:

Looks like it worked pretty good!

Okay, I have been playing around with Windows 8 for a while now, checking out it’s updated security features and I have been pretty impressed so far. Here is a screenshot of the same attack against a Windows 8 system using only the included Microsoft Windows Defender:

No shell, only an ever repeating screen of errors.

Okay, let’s try the new Java 7 attack against both and see how it fairs. First the Windows 8 system:

Hmm… Seems to have stopped it at the request stage. Windows Defender did have an update that I installed just prior to running this test. Though I thought it odd that nothing showed in the Windows Defender log.

Okay and the Windows 7 system with the good AV:

Just got to the sending applet part, but no shell. Looks like it stopped it too.

I tried the regular Java attack that has been re-tooled and I was able to get a remote shell with both versions of Windows. It was odd though as neither would let me actually do anything with the shell. Anything I tried to input into the shell would just be echoed onto the webpage on the target machine.

This just shows that even though in some cases the AV was able to stop the attacks, I was still able to get a full remote shell. Users must be educated about online risks, and network defense can not be focused on AV protection alone. Social Engineering is one of the top targeted attack methods used against corporate networks.

Sometimes your user is your last and greatest line of defense.