[Noisebridge-discuss] hijacking old java runtime environments

Kristian Erik Hermansen kristian.hermansen at gmail.com
Sun Jun 7 19:15:00 UTC 2009 

Thanks for the responses.  The JavaRa tool may help to raise awareness
of the issues on Windows.  The milw0rm java 6u13 exploit is not the
attack the website utilizes.  I am still interested in how attackers
can load older java installations into the browser and exploit them
though.  Anyway, thanks again for the info...

Fyi, you can find some of my old public exploits on milw0rm too if you
search my last name.  I don't publish much there these days, but I
have a few new 0day if anyone wants to trade.  Here's the new cheap
stuff I discovered during the last week:

* symantec endpoint protection 11; exploit allows bypassing
hips/av/firewall uninstallation when passwords are required.
* bash; malloc crasher

Cheers,

On 6/6/09, Brian Johnson <noisebridge at dogtoe.com> wrote:
> There is a known security exploit for JRE 6u13 which allows the remote
> execution of code. This could have been used to access old versions of the
> JRE.
>
> http://www.milw0rm.com/exploits/8665
>
> - Brian
>
>
> On Sat, Jun 6, 2009 at 12:48 PM, Kristian Erik Hermansen <
> kristian.hermansen at gmail.com> wrote:
>
>> Hello!
>>
>> I am currently researching methods that allow a malicious website to
>> load previously installed Java runtime environments.  A common issue
>> is that even after updating Sun's JRE (on Windows), most users do not
>> remove the older versions, which is a potential vector for abuse.  We
>> logged one of our internal employees getting hijacked in this way,
>> even though they had (and we confirmed using the logs) the latest Sun
>> JRE 6u13.  However, using methods I will not detail just yet, the
>> website was able to convince the browser to load JRE 6u5, which has a
>> myriad of known security issues.  The website in question attempted to
>> load all previous JRE versions (starting at the oldest
>> chronologically), in a brute force manner, until one that was
>> installed was enumerated and exploited.
>>
>> If you have done any research in this area, or know of anyone who can
>> point to technical documents that might expose other related attack
>> vectors, please do let me know.  Or we could have a discussion here in
>> this thread if others are interested in how this website was able to
>> do this.  However, I want to save the specific details for a tech
>> paper/conference since I have never heard of anyone doing this before
>> and it might be 0day.  We have never seen it in our environment and we
>> process many terabytes of log data per month...
>>
>> Cheers,
>> --
>> Kristian Erik Hermansen
>> _______________________________________________
>> Noisebridge-discuss mailing list
>> Noisebridge-discuss at lists.noisebridge.net
>> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>>
>

-- 
Sent from my mobile device

Kristian Erik Hermansen

More information about the Noisebridge-discuss mailing list