The creators and maintainers of exploit kits often rely on public reports of new exploits and proof-of-concept exploit code in order to be able to add new exploits to their software. And in many cases, the exploits included in kits such as Black Hole and Eleonore and others will be for vulnerabilities that are older and have long since been patched. But, if recent events are any indication, that could be changing.
In mid-October, details of a new Java vulnerability emerged in various places, and descriptions of the flaw showed it to be a serious one that could lead to remote code execution. The CVE-2011-3544 vulnerability, though serious, was just one of many that had been found in various Java components in recent months, and there already were plenty of others in the exploit kits that were being used in attacks.
But within a few weeks of the details of the new Java bug becoming public, exploits for the flaw began showing up in some of the popular exploit kits, including Black Hole and Phoenix. Researchers say they began seeing new versions of the kits, which included the exploit for CVE-2011-3544, in the last few weeks, even before a patch was available. That’s a somewhat unusual occurrence in exploit-kit land.
“The Blackhole exploit kit presented above was modified to exploit clients that have Java installed, using the recently discovered CVE-2011-3544 vulnerability. This is the only vulnerability that is actually being exploited. A few days later, a new version of Phoenix exploit kit 3.0 was released, just a few weeks after the release of its predecessor, Phoenix 2.9,” Daniel Chechik of M86 Labs wrote in an analysis of the exploits.
“A few weeks ago Michael ‘mihi’ Schierl described a design error in Java. Basically this vulnerability is similar to other Java vulnerabilities where an untrusted code is executed in elevated privileges. Rhino is a Javascript engine that runs under the JVM and can interact with Java applets. An attacker can bypass the scripting engine protection by generating an error object, using Rhino script, which runs in elevated privileges and executing code that disables the Security Manager. Once the Security Manager is disabled, the attacker can execute code with full permissions.”
One of the reasons that the authors of the exploit kits may have been so quick to add the exploit for CVE-2011-3544 to their creations is that the vulnerability affects all of the platforms on which Java is supported, Chechik said in his analysis.
“The vulnerability is cross-platform and doesn’t require heap spray or buffer overflow techniques. That makes it very effective and therefore authors of exploit kits rushed to add it to their kits,” he wrote.
