CIS 5.9 bypassed by java_rhino exploit

[Guest]

[webbie146]

hey guys,

I made a video about CIS 5.9 being bypassed by a fairly new exploit called 'java rhino'.
You can read more about this exploit here [rapid7.com] and here [darkreading.com].

This video shows how easy it is to setup this exploit, and exploit a system. A user only has to visit a link and he/she is infected. CIS 5.9 is bypassed. There is not 1 alert given at all.

All modules of CIS are active. Settings are:

 - Proactive Security
 - Sandbox set to 'untrusted'

The rest of the settings are just the stock proactive security settings.

PC runs on windows 7 SP1 64 bit fully updated.
Java versions is 6 update 27 (released on October 2011)

I've tested this exploit against a few other av's and the results where:

MSE -- bypassed
Panda Cloud -- bypassed
Avira free -- bypassed
Avg free -- bypassed
CIS -- bypassed
Unthreat Free -- bypassed
Spyshelter Premium -- bypassed

Avast - protected system (detected exploit with signature)
Sandboxie -- protected system After deleting contents in sandbox connection is broken
Noscript -- protected system Will block the java applet/exploit

As you can see this is not only a CIS related problem. If a av does not have a signature for either the exploit and/or payload it will most likely by bypassed. Comodo's D+ and FW did not help against this exploit.

Link to video: https://www.youtube.com/watch?v=nLQCusNk46M&context=C36d08beADOEgsToPDskITCGOol6Rc26q4pC9cCN3z

How to protect yourself against this exploit

To protect yourself against this exploit you can either:

 - Update you're java version to version 29 or newer.
 - Uninstall java if you do not use it.

This will protect your PC against the java_rhino exploit. Java is one of the most exploited programs on the internet atm. There are new exploits coming out all the time.

If you want extra protection, you can read here about setting up CIS for protection against future java exploits (thanks to Ronny for figuring this out   --> http://forums.comodo.com/news-announcements-feedback-cis/cis-59-bypassed-by-javarhino-exploit-t79741.0.html;msg572054#msg572054



mod edit: obfuscated (tiny.cc) URLs replaced. kail

[webbie146]

Does Java need to be installed for this exploit to run? I don't have Java installed.

Yes, Java needs to be installed. Problem is that tons of people got java installed, although they never make use of it. A lot of people got a outdated version of java installed too..

[L.A.R. Grizzly]

Yes, Java needs to be installed. Problem is that tons of people got java installed, although they never make use of it. A lot of people got a outdated version of java installed too..

Does it also need Net Framework. I don't have that installed either.

[Ronny]

Tell me what u think about it  

Looks like a hole that needs to be plugged, in the mean time keep your Java up2date or uninstall if you don't use it.
Replace 'Java' with everything that plugs in to your browser as they could also be exploited one way or the other.

[webbie146]

Does it also need Net Framework. I don't have that installed either.

I don't think it needs Net Framework. Pretty sure it does not. Just needs java.

[L.A.R. Grizzly]

I don't think it needs Net Framework. Pretty sure it does not. Just needs java.

Thanks. Interesting video. I hope the CIS devs will look into it further. 

[loveboy_lion]

How did avast exactly protect against it can you give exact details

[Ronny]

How did avast exactly protect against it can you give exact details

Detected with Signature, so the exploit was blacklisted on their AV.

[webbie146]

Thanks. Interesting video. I hope the CIS devs will look into it further.  

Yes, I hope so too. I think a possibility could be that Comodo just starts blocking all known payloads. This way a exploit could run, but it can't make contact with the hackers machine. This would be more efficient then blocking all exploits I think.

How did avast exactly protect against it can you give exact details

When opening the page and starting the exploit Avast detected the exploit with a signature. It detected the exploit, not the payload. The PC was thereby not compromised.

This is Avast description after blocking the infection: http://www.avast.com/en-eu/lp-security-information-fp2?p_ext=0&utm_campaign=Virus_alert&utm_source=prg_fav_60_3&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-eu%2Fvirus-alert-challenger2&p_vir=java:Agent-AGH%20

[loveboy_lion]

Thanks for the heads up

[clockwork]

This finding could safe a lot of people.

Java should not be able to run without consent.

Was only the antivirus enabled of avast (data protection system), or things like script blockers ect too?

[webbie146]

This finding could safe a lot of people.

Java should not be able to run without consent.

Was only the antivirus enabled of avast (data protection system), or things like script blockers ect too?

All avast systems where running, in stock setting. All shields where active.
I'm trying to find a way to submit this exploit to comodo atm.

[loveboy_lion]

Try uploading the sample detected by Avast

[clockwork]

Two other questions are left:
What happens under defense+ safe mode with disabled sandbox? At least a question? (Blocked exploit otherwise).

What happens with firewall running on custom mode? Remote executing possible without question?

[webbie146]

Two other questions are left:
What happens under defense+ safe mode with disabled sandbox? At least a question? (Blocked exploit otherwise).

What happens with firewall running on custom mode? Remote executing possible without question?

Will try this out right now.

Edit: Okay i tried this.

Turning of the sandbox did not display any alert or intrusions for D+.
Changing the FW to custom policy will actually give the user the option to block the payload!

The user will see this alert: http://i802.photobucket.com/albums/yy305/webbie146/firewall.png
The alert does state that java.exe is a safe app and can safely be allowed. Users might get confused by this, and press allow. Anyways custom policy for the FW will give the users the option to block the payload 

[Tags:]