Monitoring the Life of a Java Zero-Day Exploit with Tenable USM
Not too long ago, CVE-2012-4681 (US-CERT Alert TA12-240A and Vulnerability Note VU #636312) was issued for a flaw discovered in Oracle Java (JDK and JRE 7 U6 and before), as well as version 6 U34 and before.
This is a client-side vulnerability, which requires a user to initiate activity to be exploited. I will avoid dissecting the flaw in detail, as this information is widely available on the Web (a particularly good write-up is here).
Keep in mind that Java is platform independent, and so is this exploit. The example here uses Internet Explorer on Windows 7 (with Java SE 7u3). However, Linux and OS X users shouldn’t feel excluded on this one!
With Tenable's Unified Security Monitoring (USM) platform, comprised of SecurityCenter (SC), the Passive Vulnerability Scanner (PVS), and the Log Correlation Engine (LCE), we can track this exploit from start to finish.
The system design used here involves an attacker using Metasploit on Linux (augusta - 192.168.2.7), the client running Windows 7 (brunswick - 192.168.7.9), PVS monitoring both subnets with real-time syslog events enabled and sent to LCE, and SecurityCenter tying it all together for analysis.
First, let’s start Metasploit and prepare the exploit reverse TCP handler with payload:
Now, before we even start exploit activity, it is important to note that PVS has already detected through passive analysis that the Windows 7 workstation is using a vulnerable version of Java. Here we see the output in SC showing what was sniffed on the wire:
The next step is to go to our Windows 7 workstation and launch a Web browser. Here we will point the URL to the exploit server we just started in Metasploit (http://192.168.2.7:8080):
The user only sees a blank page, but something far more interesting is going on in the background. This is what the attacker sees:
The session has been completed, and now we can take over the system using Meterpreter. Let’s start the shell and poke around. Since this exploit is now successfully launched, we can even download files from the victim:
None of this is going unseen, however. A quick view of the LCE traffic gathered for the Windows 7 workstation in SecurityCenter shows a suspicious spike for many different event types during this process:
Drilling down further, we can take advantage of Tenable USM’s ability to see all.
Since we have PVS sending real-time data to LCE, we are immediately notified of exactly what the victim did to get into this situation; specifically, the “PVS-Web_Request” normalized event. Here is a snippet of the raw log data on this particular session:
As you can see, the URI request for “/Exploit.jar” is something to cause alarm. If we switch over to the ‘Vulnerabilities’ tab in SecurityCenter, we can also see that PVS plugin #7 for “Internal encrypted sessions” shows some very helpful information:
Setting up alerts and dashboards that keep us aware of any activity like this can help immediately discover that something bad has happened. There are many more ways our software can aid with the discovery and analysis of security events and vulnerabilities. Hopefully, this example gives you a better idea of just what you can do with Tenable products to keep your organization safe and aware.
Related Articles
How A CNAPP Can Take You From Cloud Security Novice To Native In 10 Steps
May 23, 2024Context is critical in cloud security. In a recent RSA presentation, Tenable's Shai Morag offered ten tips for end-to-end cloud infrastructure security.
Logs of Our Fathers
September 22, 2009<p>At USENIX in Anaheim, back in 2005, George Dyson treated us to a fantastic keynote speech about the early history of computing. You can catch a videotaped reprise of it <a href="http://www.ted.com/talks/lang/eng/george_dyson_at_the_birth_of_the_computer.html" target="_blank">here, on the TED site</a>. I highly recommend it - there's lots of interesting and quirky stuff. I managed to talk him into giving me a copy of his powerpoint file, and subsequently tracked him down and am re-posting this material with his permission.</p> <h3>November, 1951 </h3> <p style="TEXT-ALIGN: center"><a href="http://www.ranum.com/security/computer_security/papers/ur-syslogs/first_syslog.jpg" target="_blank"><img border="0" height="375" src="http://www.ranum.com/security/computer_security/papers/ur-syslogs/t/first_syslog.jpg" width="500" /></a> <br /><strong>Machine Log #1</strong></p>
ShmooCon 2009 - Playing Poker for Charity
February 12, 2009Tenable sponsored a booth at this year's ShmooCon and ran a Texas Hold'em table to help raise money for the Hackers for Charity organization. We raised close to $400 from conference attendees ...
Cybersecurity Snapshot: Many Employees Overshare Work Info with AI Tools, Report Finds, as ‘Cybersecurity Awareness Month’ Kicks Off
October 4, 2024Check out the best practices cyber agencies are promoting during Cybersecurity Awareness Month, as a report warns that staffers are feeding confidential info to AI tools. Meanwhile, a study highlights how business decisions can derail OT security. Plus, get the latest on Active Directory security, CISO salary trends and ransomware attacks!
How to Unlock Advanced IoT Visibility for Cyber-Physical Systems
October 1, 2024As the number of IoT devices deployed globally continues to rise, cyber-physical systems and business operations are exposed to greater risk. Improving asset visibility, monitoring and risk management are critical steps to preventing breaches.
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!
- Conferences
- Event Monitoring
- Events
- Passive Network Monitoring
- SecurityCenter