CIS 5.9 bypassed by java_rhino exploit

[Guest]

[ssj100]

Tested sandboxie for someone too. Sandboxed the browser, and emptied the sandbox.
The connection between the hacker and victim PC is interrupted. Sandboxie is effective against this exploit.

That's interesting - so the connection was able to be established within the sandbox?  Could screenshots etc be taken?  Exactly what could be done to the victim PC?

Exactly which file is the payload?

[webbie146]

That's interesting - so the connection was able to be established within the sandbox?  Could screenshots etc be taken?  Exactly what could be done to the victim PC?

Exactly which file is the payload?

Yes, the connection can still be established. Basically most features are still working. Some things are not working, like injecting into another process. Screenshot and the key-logger still work.

Exactly what could be done to the victim PC?

A few examples:

Screenshot
webcam screenshot
key-logger
PC info/process list
uploading/downloading files
Basically anything you can think of can be done.

Java rhino = exploit
java/meterpreter/reverse_http = payload type

The payload can be a lot of different types.
You can read a bit about how it works here: http://www.offensive-security.com/metasploit-unleashed/Metasploit_About_Meterpreter

Btw: I send the exploit, and 14 other undetected browser exploits to egemen. This way signatures can be created 

[languy99]

quick question, seeing as you are on the same network when you did the test did you select in CIS public network or did you select home. Reason I am asking becasue if you select home cis allows everything through the firewall. Just an idea maybe.

[webbie146]

quick question, seeing as you are on the same network when you did the test did you select in CIS public network or did you select home. Reason I am asking becasue if you select home cis allows everything through the firewall. Just an idea maybe.

I think I selected work, not sure though. Will look at this 

[MorphOS REBOL]

even more embarrassed by now, at least atm.



Cheers, REBOL.

Internet seems to be not that secure atfm.
Let's return to our farms itm.

[ssj100]

Yes, the connection can still be established. Basically most features are still working. Some things are not working, like injecting into another process. Screenshot and the key-logger still work.

Exactly what could be done to the victim PC?

A few examples:

Screenshot
webcam screenshot
key-logger
PC info/process list
uploading/downloading files
Basically anything you can think of can be done.

Java rhino = exploit
java/meterpreter/reverse_http = payload type

The payload can be a lot of different types.
You can read a bit about how it works here: http://www.offensive-security.com/metasploit-unleashed/Metasploit_About_Meterpreter

Btw: I send the exploit, and 14 other undetected browser exploits to egemen. This way signatures can be created  

Actually I was asking what exactly can be done to the victim's PC when the exploit is triggered inside the sandboxed browser.  Not sure if you understand how Sandboxie works, but nothing should be able to "break out" of the sandbox.  I'm not worried about keylogging etc taking place within the sandbox, but that's where it should end - the "REAL" system should not be modified.  And therefore once you terminate programs within the sandbox or delete the sandbox, it will be as if nothing has happened.

It will be interesting to see if you can eg. install programs into the REAL system (C:\Program Files\etc) or write into the REAL system with that connection, despite Sandboxie.

Also, what Port(s) does the connection use?

[naren]

Is it possible to test it with Valkyire & CIMA?

Does the latest Java secures the system with this exploit?

Thanxx testing with UnThreat.

Regards
Naren

[Ronny]

Is it possible to test it with Valkyire & CIMA?

Think not it's not a PE, so they won't be tested.

Does the latest Java secures the system with this exploit?

Yes 6u29 solves this issue

Thanxx testing with UnThreat.

Regards
Naren

So you lost the bet  what are you going to do now because of that 

[webbie146]

Actually I was asking what exactly can be done to the victim's PC when the exploit is triggered inside the sandboxed browser.  Not sure if you understand how Sandboxie works, but nothing should be able to "break out" of the sandbox.  I'm not worried about keylogging etc taking place within the sandbox, but that's where it should end - the "REAL" system should not be modified.  And therefore once you terminate programs within the sandbox or delete the sandbox, it will be as if nothing has happened.

It will be interesting to see if you can eg. install programs into the REAL system (C:\Program Files\etc) or write into the REAL system with that connection, despite Sandboxie.

Also, what Port(s) does the connection use?

I understand what sandboxie does, i have used it in the past..

Anyways the exploit cannot migrate into another process, ore drop files on the 'real' system because it runs in the sandboxie.

Thing is after the exploit made a connection you could upload a rat (remote administration tool). I could then let the rat upload a file to the sandbox. I could then take over the mouse/keyboard and just copy it to the real disk. After that i could execute the .exe, and the real system would be infected.

It's hard, but can be done.

O and the port depends on how you configure the exploit and payload. It can be any port the attacker wants it to be.

[naren]

Think not it's not a PE, so they won't be tested.
Yes 6u29 solves this issue
So you lost the bet  what are you going to do now because of that 

Thanxx for the info. Good to know the latest Java keeps the system secure with this exploit.

I think I will bet more & keep on counting how many I win & lose. And I bet this was my very first bet here in Comodo forums & so this makes it 0 & 1, 0 Win & 1 Lost

Thanx
Naren

[Ronny]

I think i found a way to stop this.
Can you please confirm if it still works if you change the following.

Put <path to java> on always sandbox AND untick file and registry virtualisation on the D+ policy.
This seems to break the spawn of the java.exe that's part of the IE parent to a new process java.exe that is the callback to the exploit server.

I will now make a clean install and verify on stock config also.

[webbie146]

I think i found a way to stop this.
Can you please confirm if it still works if you change the following.

Put <path to java> on always sandbox AND untick file and registry virtualisation on the D+ policy.
This seems to break the spawn of the java.exe that's part of the IE parent to a new process java.exe that is the callback to the exploit server.

I will now make a clean install and verify on stock config also.

My win7 VM is broken now lol. I will create a new VM with win7 and will test this 

[Ronny]

Just retested with a clean install stock config it needs the following to prevent the exploit.
You have to put Java.exe on Always Sandbox as Untrusted else it won't block.
No additional restrictions needed.




Beware I tested this on Win XP, x86, Administrator & Java 6u27.
No clue if java is still 100% functional tough.


1) if you don't use java uninstall it
2) if you have to use java make sure your up2date

[Ronny]

No clue if java is still 100% functional tough.

Well just tested a legit Java site and it does break the functionality.

[Ronny]

Best protection for this version is setting java.exe to run 'Always Sandboxed' on the Defense+ Computer Security Policy.
Sandbox restriction level "Partially limited" restricts most of the things the exploit can do with this single exploit.



It is no longer able to get e.g. process list running this setting, but is still able to make e.g. screenshot.
It can still download and upload files, where file uploads will end up in c:\vritualroot because of the sandbox visualization.
That won't cause much harm cause they won't become active on next reboot.

[Tags:]