Search



SpiderLabs Services
Resources

Research Stats

Categories

Security Advisories

Trustwave Press Releases

Oracle Feed

19 April 2013

Java is So Confusing...

It's been a short while, but we find ourselves again with a Java vulnerability in our hands, this time via a PoC provided by IKVM.NET.

This particular vulnerability is somewhat different than most java vulnerabilities we run into, but feels like a natural progression from the last Java 0day we discussed in our blog (CVE-2013-1493).  Both these vulnerabilities allow direct memory manipulation, something which is quite uncommon in Java.
The vulnerability itself has to do with type confusion between an int and a double, causing 8 bytes to be copied instead of 4, thus overwriting a pointer and allowing us to reach otherwise inaccessible area in the memory.

Continue reading "Java is So Confusing..." »

Posted by on 19 April 2013 at 17:16 in Java, Oracle, Secure Web Gateway, Security Research | | Comments (0)

16 January 2013

Q&A w/ SpiderLabs Research: Java 0day CVE-2013-0422

Q: What’s going on? People are talking about some Java 0day which threatens the whole world… Bring me up to speed, now!

A: About a week ago, an independent researcher has reported a previously unknown (0day) Java vulnerability being used in order to infect innocent users with malware. When a 0day vulnerability is discovered it is usually reported to the affected vendor and that vendor will issue a patch that fixes the software bug, hence closing the security hole. However in this case the vulnerability was discovered by someone who chose not to do the responsible thing (reporting to the vendor), and instead took advantage of this finding for personal profit. A 0day vulnerability gives the attacker an imperative advantage over the victim for two main reasons:

  1. The victim has no prior knowledge of the risk.
  2. The victim has no effective means of protecting himself, since no patch is available.

In such cases being aware of the attack and its specifics is of highest importance, thus we have analyzed this vulnerability and posted our findings on the very same day it was discovered and verified out-of-box protections in Trustwave's Secure Web Gateway product.

Continue reading "Q&A w/ SpiderLabs Research: Java 0day CVE-2013-0422 " »

Posted by on 16 January 2013 at 13:29 in Java, Oracle, Zero-Day | | Comments (0)

10 January 2013

First Java 0day For The Year 2013

Today @Kafeine was the first to announce the new Java 0day. This 0day allows an attacker to execute malicious code on any desktop with Java 1.7 u10 (or prior) installed – which is the latest version from Oracle.

After some preliminary analysis it seems this 0day is using a similar tactic to CVE-2012-5088, which was patched by Oracle last October. On top of using java.lang.invoke.MethodHandle.InvokeWithArguments() from CVE-2012-5088, the attacker smartly takes advantage of MBeanInstantiator in order to get a reference to a restricted class from a trusted caller (MBeanInstantiator is trusted). This is accomplished via the findClass method, which in turn will call the inner loadClass method.

The “heart” of the exploit: Java 0day
We are glad to announce that all our customers using Trustwave's Secure Web Gateway are protected against this 0day attack. There’s no need for any additional updates to be applied. A good continuation of last year’s streak of 4 out of 4 Java 0days blocked out of the box.

We will continue monitoring this threat and provide protection to our customers.

Posted by on 10 January 2013 at 10:06 in Java, Oracle, Secure Web Gateway, Zero-Day | | Comments (1)

20 September 2012

Oracle DBMS_Scheduler Fun on Windows!

So, last time I showed how to get a Unix reverse shell up and running just by using Oracle PL/SQL commands making use of DBMS_Scheduler.  My next challenge was to try and get a similar method to work on a Windows host. In this case there were several challenges:

1)      There is no method that I know of to invoke a reverse shell using only Windows commands

2)      Windows ACLs and services are different than on Unix for Oracle XE

I started by taking the PL/SQL code that worked on the UNIX box as a basis for the Windows code. Given that I couldn’t use Windows commands to create a reverse shell, the easiest alternative option involved uploading software that could. In this case, the goal was to TFTP or FTP netcat to invoke a reverse shell  by using PL/SQL code.

Continue reading "Oracle DBMS_Scheduler Fun on Windows!" »

Posted by on 20 September 2012 at 10:54 in Oracle, Penetration Testing, Tools | | Comments (2)