Java has become a difficult software to wrangle in the past 18 months due to the number of exploits released. Unfortunately, most enterprises have at least one critical application that relies on this technology. To limit its attack surface, I suggest using a whitelist approach. For the most compatibility in corporate environments, I’m using IE as the browser that has Java enabled and manage these settings in GPO. To make sure users do not have other browsers with Java enabled on the same system, we will disable it for both Google Chrome and Mozilla Firefox.

Currently, it does not appear to be a good way to whitelist “Java Web Start” applications. Due to this issue, my recommendation is to currently disable this feature at this time. You may need to create an exempt group if this is a required feature for certain individuals or group in your organizations.

Deployment Options

These settings will need to be applied every time Java or when your web browsers are updated at minimum. It’s best to have these settings applied via GPO or at every log in. The GPO.bat file can be replaced by adding the registry setting into a GPO preference.  The files can be found here.

Note: Even though these setting have been tested on both XP and Win7 please test them in your environment before deploying. All settings are based on 32-bit Java. If you are running the 64-bit version, these setting can easily be modified to meet that need.

GPO

To deploy these settings using GPO you will need to:

1. Add to the Trusted Sites
2. Implement the GPO section for each of the implementation sections below
3. Deploy the gpo.bat and disable_java_firefox.vbs, via GPO,  The gpo.bat only makes registry changes not directly manageable from GPO.
4. Disable Java in Chrome.

Windows Batch

If you are planning to use the batch only option they should be ran with Admin privileges.

1. Add to the Trusted Sites via GPO
2. Disable Java in Chrome
3. Copy the java.bat and disable_Java_firefox.vbs to a network share and make sure its ran with Admin privileges on all systems

Implementation

Adding Trusted Sites

To manage this setting via GPO

User Config > Admin Templates >Windows Components > Internet Explorer >Internet Control Panel >Security Page> Site to Zone Assignment list

To add a zone the Value name is the site you want to whitelist and the value is what zone you want to add it to. To add to trusted zone always set the value to 2.

*.wordpress.com 2

To add a specific site and not an entire domain

http://www.mywebsite.com 2

Disable Java in Firefox

The Disable_Java_firefox VB script by @integrisec modifies the pluginreg.dat file in the Mozilla profile directory and sets the Java plugin to disabled. I had to modify the version from his the website to better adjust the disable logic. This is called by my batch script and needs to be in the same directory as the batch file.

Disable Java in Chrome

The easiest way to disable Java in Google chrome is by changing the shortcut to chrome.exe –disable-java. Setup a batch file to copy a new one from a network share to the user’s desktop/start menu.

Via GPO

• You can change the shortcut using GPO
  
• You can fully manage Chrome from GPO if you import the template. This is cumbersome if you are only using this to manage Java, but it you are already managing it this way below are the settings.

Computer Config > Admin Templates > Classic Admin Template >Google > Google Chrome > Specify a list of disable plugins > Enable

• Add *Java*

Internet Explorer

We are going to lock-down all the ways Java can be called and make sure that it will use the IE trusted zone list. The post at greyhathacker.net does an awesome job breaking down many of the issues and prevention methods and several of the suggestions are implemented below.

Java Applet settings

Disable the Java applet from running in any zone except in Trusted Zone.

Via GPO

Admin Template > Windows Components > Internet Explorer > Internet Control Panel > Security Page

> Intranet Zone >

• Java Permissions-> Enable Plugin >Disable Java

>Internet Zone >

• Java Permissions-> Enable Plugin >Disable Java

>Trusted Zone

• Java Permissions-> Enable Plugin >Enable Java

>Restricted Zone

• Java Permissions-> Enable Plugin >Disable Java

Via Registry

For all zones the registry setting 1C00 DWORD value should be set to 0 except for the Trusted and Intranet zone which should be 0×00010000.

reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1″ /v 1c00 /t REG_DWORD /d 0×00 /f

reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2″ /v 1c00 /t REG_DWORD /d 0×00010000 /f

reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3″ /v 1c00 /t REG_DWORD /d 0×00 /f

reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4″ /v 1c00 /t REG_DWORD /d 0×00 /f

Disable scripting of Java applets in other zones

Via GPO

Admin Template > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone >

• Scripting for Java applets > Enable Plugin > Disable

> Intranet Zone >

• Scripting for Java applets > Enable Plugin > Disable

>Restricted Zone

• Scripting for Java applets > Enable Plugin > Disable

Via Registry

reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1″ /v 1402 /t REG_DWORD /d 0×03 /f

reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3″ /v 1402 /t REG_DWORD /d 0×03 /f

reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4″ /v 1402 /t REG_DWORD /d 0×03 /f

Java Object Tags

Java object tags are handled differently in IE. You will need to modify the ActiveX control to only allow trusted sites to call these objects.

Limit Java Objects tags

According to Microsoft, If you remove the ‘*’ then it will not load the object tags from the Internet zone and only the trusted zone and Intranet zone.

Registry Only

reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8AD9C840-044E-11D1-B3E9-00805F499D93}\iexplore\AllowedDomains” /f

reg delete “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8AD9C840-044E-11D1-B3E9-00805F499D93}\iexplore\AllowedDomains\*” /f

Prevent users from adding sites to the trusted Java plug-in list.

This prevents the Security Band from popping up when visiting non-trusted sites.

Registry Only

reg add “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND“ /v iexplore.exe /t REG_DWORD /d 0×00 /f

Do not allow users to add/remove sites from the Trusted sites

Via GPO

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer > Security Zones: Do not allow users to add/delete sites

Via Registry

Reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings” /v Security_options_edit /t REG_DWORD /d 0×01 /f

Break Functionality of Java Web Start

Java Web Start downloads a java file and executes java outside the browser. Currently I have not found a way to force this to use IE zones before it’s executed. Therefore we cannot limit its access so we must break this function.

Registry Only

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open\Command” /t REG_SZ /d “iexplore.exe” /f

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JNLPFile” /t REG_BINARY /v EditFlags /d 00000000 /f

reg add “HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{5852F5ED-8BF4-11D4-A245-0080C6F74284}” /v “Compatibility Flags” /t REG_DWORD /d 00000400 /f

reg add “HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5852F5ED-8BF4-11D4-A245-0080C6F74284}” /v “Compatibility Flags” /t REG_DWORD /d 00000400 /f

Disable Java Development Toolkit Active X control

Registry Only

Reg add “HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}” /t REG_DWORD /v “Compatibility Flags” /d 00000400 /f

Sites to test java settings.

Below is a list of sites to test the Java settings are working correctly. While most of these sites simply demonstrate specific ways to call java, sites have not been analyzed for malware and should be considered dangerous. Once configured none of them should be able to load Java in the browser unless it’s listed as a trusted site. Only visit them on a virtual machine and have it reverted back to previous settings once it’s tested.

https://eyeasme.com/Shayne/XHTML/appletObject.html

http://www.w3.org/2000/07/8378/object/java/clock

http://www.brainjar.com/java/parameters/demo.html

http://www.java.com/en/download/testjava.jsp

http://www.codebrain.com/java/navajo/index_embed.html

http://www.twainconnect.com/jnlp/Default.aspx

http://source.db4o.com/db4o/trunk/objectmanager-swing/webstart/sample.html

I wanted to be sure that I was using the best technique for preventing SQL injection. Originally I was planning to use a stored procedure and escape the input parameter, but I found out about prepared statements. It works by setting up the SQL statement and setting a place holder with a ‘?’ for input. What this does is tells MySQL to read this as data and prevents attackers from changing the query results.

'Select * from table where name is ?'

You can have your VB.net, PHP or other languages build the prepared statement for you, but I wanted to build the logic on the server side. This give the client access to execute the stores procedure and not allow direct permissions to the tables.

The basic syntax for a prepared statement is you prepare the statement with a name, give the SQL query to preform, execute the statement and then deallocate the statement.

prepare id from
 'select Id from table where name= ?' ;
 set @myname :='mycomputer';
 execute id @myname;
 DEALLOCATE PREPARE id;

The sql statement above does the following:

1. Sets the name of the statement to “id”
2. Sets the SQL statement and has a place holder for the name in the query
3. Sets the variable @myname to “mycomputer”
4. Executes the statement “id” using the variable @myname as the query value ‘?’
5. Removes the prepared statement

Using the information above. The statement that is run is

'select Id from table where name= mycomputer' ;

Now I want to take the prepared statement and make it a stored procedure.

 DROP PROCEDURE IF EXISTS `table`.`get_id`;
 DELIMITER $$
 CREATE PROCEDURE `IR`.`get_id`(IN input VARCHAR(20), OUT id VARCHAR(5))
 READS SQL DATA
 BEGIN
 SET @input=input;
 prepare id from
 'select Id from table where name= ?' ;
 execute id USING @input;
 DEALLOCATE PREPARE id;
 END$$

1. If the procedure already exists, delete it
2. Setup the delimiter for starting and stoping the procedure text
3. Creates the procedure name get_id in the table. It allows input of up to 20 characters and allows output to be up to 5 characters. By limiting the input and output, if injection is possible, it makes it more difficult.
4. Reads data tells MySQL you are only reading data and not updating information
5. Begin tells MySQL this is the start of the main procedure
6. Creates a variable input for data that is supplied to the stored procedure
7. The rest is the same as previously discussed

mysql>;;Grant execute on get_id to 'me'@'localhost'

To run the stored procedure from the MYSQL console, you do the following:

mysql>;;call get_id('mycomputer', @out);
+-------+
 | @out |
 +------+
 | 1    |
 +------+

Once you have the output you want from the procedure, you can now call it from any program you want. Some of the more common languages to call stored procedures are: PHP, ASP and VB.net

A new IE zero-day is out and is available from Metasploit.  I needed to find out if EMET would protect against this. My two platforms I tested on were Windows 7 (Full patched) and Windows XP SP3 (fresh install) with IE 7.  I tested EMET 3.0 and EMET 2.1 to make sure that both versions prevented the exploit.

The Metasploit exploit worked flawlessly on Windows 7. I then enabled EMET and added the IE executable to the protected programs.  With both versions of EMET  prevented the exploit. The odd thing is that EMET 3.0 is suppose to generate a pop-up and create an event log when it catches an exploit. It did not notify me during any of my tests. On Windows XP SP3 with IE 7, as expected, the exploit worked when EMET was not configured. Once setup to protect IE, the exploit failed to run.

While having individual users at home switch to another browser (e.g. Chrome) make sense, for large cooperate environments deploying EMET will give you a stop gap for many of the exploits that we see.

/Var/log/secure

When responding to an infected system, I noticed that in the /var/log/secure.log it included a couple of indicators of infection. The indicators below may help you detect infected users if you are using syslog for your OS X devices. Seeing a “/bin/sh” followed by the “suppressing keychain prompt” within a couple of minutes of each other that has been a solid indicator in the log. When looking through the systems, the suppressing keychain prompt did not show up in a years worth of logs until after it was infected.

Mar 31 14:17:32 K-MacBook-Pro com.apple.SecurityServer[24]: UID 501 authenticated as user k (UID 501) for right ‘system.privilege.admin’ Mar 31 14:17:32 K-MacBook-Pro com.apple.SecurityServer[24]: Succeeded authorizing right ‘system.privilege.admin’ by client ‘/private/tmp/Software Update’ for authorization created by ‘/private/tmp/Software Update’
Mar 31 14:17:32 K-MacBook-Pro com.apple.SecurityServer[24]: Succeeded authorizing right ‘system.privilege.admin’ by client ‘/usr/libexec/security_authtrampoline’ for authorization created by ‘/private/tmp/Software Update’
Mar 31 14:17:32 K-MacBook-Pro authexec[318]: executing /bin/sh
Mar 31 14:19:55 K-MacBook com.apple.SecurityServer[25]: suppressing keychain prompt for invalidly signed client /Applications/Safari.app(658)

Mac Times

I also collected file system MAC times on the infected machine.  You can see the malware being created .QUICKHEALXGEN.png and .QUICKHEALXGEN.xsl. Additionally you see chmod and mv accessed. This matches up with F-secure analysis.

2012 Mar 31 Sat 14:17:32
102 m.c. drwxr-xr-x 0  0  0  /Applications/Safari.app
374 m.c. drwxr-xr-x 0  0 0  /Applications/Safari.app/Contents
4643 m.c. -rw-rw-rw- 501 20  0 /Applications/Safari.app/Contents/Info.plist
20400 m.c. drwxr-xr-x 0 0   0  /Applications/Safari.app/Contents/Resources
403744 m… -rwxrwxrwx 501 0 0 /Applications/Safari.app/Contents/Resources/ .QUICKHEALXGEN.png
26168 m… -rwxrwxrwx 501 0 0 /Applications/Safari.app/Contents/Resources/.QUICKHEALXGEN.xsl
62656 .a.. -r-xr-xr-x 0 0 0 /bin/chmod
44848 .a.. -r-xr-xr-x 0 0   0  /bin/mv

Virus Total

Submitting the malware to virus total had poor results with only 8 out of 42 detecting it as of April 4th.

Cleaning Script

This script has several components: It checks for both types of infections discussed by F-Secure,  backups a copy of the two plist files and names them .infected, prompts user if they want to clean the infection and also prompts the user to disable java in Safari. While I have tested this script on the cleanup of the Safari Info.plist, I have not seen an infection of the environment.plist. The cleanup should work, but  please test it before you use it. I will not be held liable for any problems. 

I have built in a simple update function that will check for a new version using the -u switch at the command line. If a new outbreak happens, I’ll try and keep it updated. You can submit bug fixes to the blog or to the email address in the script.

To run the program, unzip the download below and double click on the flashback-detect.command file. It will prompt you for your password and check to see if your infected.  You can also run it from terminal using the flashback-detect.sh.

Get the script HERE.

I’m starting my prep for the two day practical. I’m building my VM’s (Fedora Core 12, Backtrack 4) to setup a lab. My goal is to go through the each learning objective, review some labs from 503 and 504 and finish up with reviewing some of the Hacker Challenge books.