Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Report of Java Object Serialization exploit in use in web drive-by attacks SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Report of Java Object Serialization exploit in use in web drive-by attacks

We've had a report (thanks Tom!) of a java applet exploiting CVE-2008-5353 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353) as part of a web drive-by attack. While PoC has been around for a long time for this, this is the first time I've heard of it being used in the wild for a general attack. If anyone else has seen this, we'd be interested to hear about it.

The applet is already being detected by some A/V packages according to VirusTotal: https://www.virustotal.com/analisis/d4f5bcc9acecb2f53a78313fc073563de9fc4f7045dd8123a23a08f926a3974d-1262270360

As we get more details on what it does, we'll update this entry with it.

UPDATE: Minnie Mouse was kind enough to write and let us know that exploits for this vuln apparently are available and included in the LuckySploit, Liberty and Fragus kits. In at least one case the exploit was a recent addition


Toby

68 Posts
I saw this Java exploit in the wild in an exploit kit a while back, I'm thinking it was about one month ago or so. Lots of unpatched Java around; Secunia OSI/PSI can help find it. Backrev to vuln version brings up popup box AFAIK (based on research by kuza55) but users will click on anything!
Anonymous

Sign Up for Free or Log In to start participating in the conversation!