Accuvant Labs has published details concerning a Java vulnerability exploited during the Pwn2Own contest earlier this year. The flaw was patched in April by Oracle, but for the curious, the security firm is providing additional details, including the exact code used by Joshua J. Drake.
In March, Accuvant Labs’ Joshua Drake did what he does best, and exploited memory corruption vulnerabilities within the Java platform. According to the company, Drake spends a good deal of time working on these types of flaws, so it was no surprise that he singled one out during the Pwn2Own contest. The attack used was an untrusted Java Applet delivered to an instance of the IE10 Web browser.
“Thankfully, Oracle took steps to reduce the attack surface of JRE 7 in Update 11. In this release they implemented a “click-to-play” style dialog box preventing untrusted Applets from running without user interaction,” a report on the exploit mentions, taking note of Oracle’s fix for the issue.
“This brings the level of interaction required for untrusted Applets in line with those for self-signed or CA signed Applets. Since user interaction is now required, users have the chance to avoid executing potentially malicious Applets. Further, receiving an unexpected dialog box requesting a Java applet should raise suspicions since very few legitimate sites use Java.”
The noteworthy feat however, was the fact that Drake used his freshly created exploit to compromise the vulnerable system – bypassing both ASLR and DEP protections, within 15 seconds.
“Profit-motivated criminals continue to increase their usage of web browser exploitation and vulnerable plug-in technology to steal important enterprise-level data and cause damage in various ways. Joshua’s Java exploit exemplifies the type of information security research our dedicated team of experts conducts on a daily basis,” said Jon Miller, vice president of research and development for Accuvant.
For cracking Windows 8 by exploiting Java on Internet Explorer 10, Drake walked away with $100,000 per Pwn2Own rules. The full details, contained in a report on the vulnerability and subsequent exploit can be found here. Further, a copy of the exploit used during Pwn2Own is also available.