Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Monitoring the Life of a Java Zero-Day Exploit with Tenable USM

Not too long ago, CVE-2012-4681 (US-CERT Alert TA12-240A and Vulnerability Note VU #636312) was issued for a flaw discovered in Oracle Java (JDK and JRE 7 U6 and before), as well as version 6 U34 and before.

This is a client-side vulnerability, which requires a user to initiate activity to be exploited. I will avoid dissecting the flaw in detail, as this information is widely available on the Web (a particularly good write-up is here).

Keep in mind that Java is platform independent, and so is this exploit. The example here uses Internet Explorer on Windows 7 (with Java SE 7u3). However, Linux and OS X users shouldn’t feel excluded on this one!

With Tenable's Unified Security Monitoring (USM) platform, comprised of SecurityCenter (SC), the Passive Vulnerability Scanner (PVS), and the Log Correlation Engine (LCE), we can track this exploit from start to finish.

The system design used here involves an attacker using Metasploit on Linux (augusta - 192.168.2.7), the client running Windows 7 (brunswick - 192.168.7.9), PVS monitoring both subnets with real-time syslog events enabled and sent to LCE, and SecurityCenter tying it all together for analysis.

First, let’s start Metasploit and prepare the exploit reverse TCP handler with payload:

Step1

Now, before we even start exploit activity, it is important to note that PVS has already detected through passive analysis that the Windows 7 workstation is using a vulnerable version of Java. Here we see the output in SC showing what was sniffed on the wire:

Pvs-sw-detection

The next step is to go to our Windows 7 workstation and launch a Web browser. Here we will point the URL to the exploit server we just started in Metasploit (http://192.168.2.7:8080):

Step2

The user only sees a blank page, but something far more interesting is going on in the background. This is what the attacker sees:

Step3

The session has been completed, and now we can take over the system using Meterpreter. Let’s start the shell and poke around. Since this exploit is now successfully launched, we can even download files from the victim:

Step4

None of this is going unseen, however. A quick view of the LCE traffic gathered for the Windows 7 workstation in SecurityCenter shows a suspicious spike for many different event types during this process:

Lce_norm_events

Drilling down further, we can take advantage of Tenable USM’s ability to see all.

Since we have PVS sending real-time data to LCE, we are immediately notified of exactly what the victim did to get into this situation; specifically, the “PVS-Web_Request” normalized event. Here is a snippet of the raw log data on this particular session:

Lce-web-access-raw

As you can see, the URI request for “/Exploit.jar” is something to cause alarm. If we switch over to the ‘Vulnerabilities’ tab in SecurityCenter, we can also see that PVS plugin #7 for “Internal encrypted sessions” shows some very helpful information:

Pvs-7

Setting up alerts and dashboards that keep us aware of any activity like this can help immediately discover that something bad has happened. There are many more ways our software can aid with the discovery and analysis of security events and vulnerabilities. Hopefully, this example gives you a better idea of just what you can do with Tenable products to keep your organization safe and aware.

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security