Reloading Java Exploits: Long Live Old JRE! presented at HackInTheBox 2014

by Donato Ferrante, Luigi Auriemma,

Summary : With the new releases of the Java Runtime, Oracle is trying to raise the level of security of its product by fixing as much vulnerabilities as possible, and forbidding users from running untrusted Applets on their systems. The problem is that according to recent surveys conducted by major security firms, the amount of users having an old release of the Java Runtime installed on their systems is still very high (~70%), and if we take a look just at the enterprise environments this percentage is even higher.
Using an old release of the Java runtime means that a system is vulnerable to all of the security issues affecting the old versions installed. From this scenario we can see that one of the ways, if not the only one, for users to be protected against Java threats is to have some sort of defensive solution such as an Antivirus or an IPS. But this is not enough.
This talk aims to show how it’s possible to harden old Java exploits in order to bypass all kinds of security protections including products like Antivirus and IPS/IDS. We will detail how Java Applets can cooperate to exploit vulnerabilities by interacting with other Applets residing on the same domain or even on different domains, bypassing the same origin policy that’s supposed to be enforced by the JVM. In addition, we will demonstrate how Java, Javascript and HTML5 features can interact with each other to harden exploitation. We will also see how an attacker can abuse the Java exception handling and memory management subsystems to defeat Java emulators.