Monitoring the Life of a Java Zero-Day Exploit with Tenable USM

by Randal T. Rioux
October 25, 2012

Not too long ago, CVE-2012-4681 (US-CERT Alert TA12-240A and Vulnerability Note VU #636312) was issued for a flaw discovered in Oracle Java (JDK and JRE 7 U6 and before), as well as version 6 U34 and before.

This is a client-side vulnerability, which requires a user to initiate activity to be exploited. I will avoid dissecting the flaw in detail, as this information is widely available on the Web (a particularly good write-up is here).

Keep in mind that Java is platform independent, and so is this exploit. The example here uses Internet Explorer on Windows 7 (with Java SE 7u3). However, Linux and OS X users shouldn’t feel excluded on this one!

With Tenable's Unified Security Monitoring (USM) platform, comprised of SecurityCenter (SC), the Passive Vulnerability Scanner (PVS), and the Log Correlation Engine (LCE), we can track this exploit from start to finish.

The system design used here involves an attacker using Metasploit on Linux (augusta - 192.168.2.7), the client running Windows 7 (brunswick - 192.168.7.9), PVS monitoring both subnets with real-time syslog events enabled and sent to LCE, and SecurityCenter tying it all together for analysis.

First, let’s start Metasploit and prepare the exploit reverse TCP handler with payload:

Step1

Now, before we even start exploit activity, it is important to note that PVS has already detected through passive analysis that the Windows 7 workstation is using a vulnerable version of Java. Here we see the output in SC showing what was sniffed on the wire:

Pvs-sw-detection

The next step is to go to our Windows 7 workstation and launch a Web browser. Here we will point the URL to the exploit server we just started in Metasploit (http://192.168.2.7:8080):

Step2

The user only sees a blank page, but something far more interesting is going on in the background. This is what the attacker sees:

Step3

The session has been completed, and now we can take over the system using Meterpreter. Let’s start the shell and poke around. Since this exploit is now successfully launched, we can even download files from the victim:

Step4

None of this is going unseen, however. A quick view of the LCE traffic gathered for the Windows 7 workstation in SecurityCenter shows a suspicious spike for many different event types during this process:

Lce_norm_events

Drilling down further, we can take advantage of Tenable USM’s ability to see all.

Since we have PVS sending real-time data to LCE, we are immediately notified of exactly what the victim did to get into this situation; specifically, the “PVS-Web_Request” normalized event. Here is a snippet of the raw log data on this particular session:

Lce-web-access-raw

As you can see, the URI request for “/Exploit.jar” is something to cause alarm. If we switch over to the ‘Vulnerabilities’ tab in SecurityCenter, we can also see that PVS plugin #7 for “Internal encrypted sessions” shows some very helpful information:

Pvs-7

Setting up alerts and dashboards that keep us aware of any activity like this can help immediately discover that something bad has happened. There are many more ways our software can aid with the discovery and analysis of security events and vulnerabilities. Hopefully, this example gives you a better idea of just what you can do with Tenable products to keep your organization safe and aware.