Jump to content
Nytro

CVE-2013-1493 (jre17u15 - jre16u41) in Cool EK

By Nytro, in Stiri securitate

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]CVE-2013-1493 (jre17u15 - jre16u41) in Cool EK[/h]That was fast (4 days after patch). After CVE-2013-0634 (flash), it's now CVE-2013-1493 (last know vulnerability up to jre17u15 - jre16u41) that reach Cool Exploit Kit (from Reveton distributor - btw this ransomware seems to be clothed again with what i called the Winter II design)

Credits first :

Will Metcalf from Emerging Threats for the "path" part of the landing.

Michael Shierl for confirming (and giving more clues) that it looks like CVE-2013-1493.

Chris Wakelin for additional tips

I will update here integration in other exploit kits

(would be surprising if it does not happen..and will modify title)

Cool EK :

jre17u15:

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center]screenshot_194+%28from+Xps-8300+-+56%29.png[/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]CVE-2013-1493 successful path in Cool EK (jre17u15)

2013-03-08[/TD]

[/TR]

[/TABLE]

jre16u41:

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center]screenshot_194+%28from+Xps-8300+-+59%29.png[/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]CVE-2013-1493 successfull path in Cool EK (jre16u41)

2013-03-08[/TD]

[/TR]

[/TABLE]

GET http://retrempercircum[...].glamorizesports.com/world/bright_rural_mutter.html

200 OK (text/html)

GET http://retrempercircum[...].glamorizesports.com/world/rug-magistrate.jar

200 OK (application/java-archive) a3410c876ed4bb477c153b19eb396f42

GET http://retrempercircum[...].glamorizesports.com/world/improved_violently_section.swf

404 Not Found (text/html)

GET http://[...]/world/getnn.jpg

200 OK (application/x-msdownload) e343845066df8c271b5ac095f2d44183

Out of scope Reveton

Note : if you get infected with java 1.7u > 10 , don't try to say you were not warned !

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center]screenshot_195+%28from+Xps-8300+-+9%29.png[/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Security in jre17u>10

Want to get infected ? follow the bubble[/TD]

[/TR]

[/TABLE]

For java 1.6...things are differents

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center]

screenshot_194+%28from+Xps-8300+-+60%29.png[/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]In jre16 (no comment)[/TD]

[/TR]

[/TABLE]

Files: a3410c876ed4bb477c153b19eb396f42

(nothing more for now)

Reading :

YAJ0: Yet Another Java Zero-Day - 2013-02-28 - Darien Kindlund and Yichong Lin - FireEye Blog

CVE-2013-1493 - Mittre

Latest Java Zero-Day Shares Connections with Bit9 Security Incident - 2013-03-01 - Symantec

Posted 21 hours ago by Kafeine

Sursa: Malware don't need Coffee: CVE-2013-1493 (jre17u15 - jre16u41) in Cool EK

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...