Exploit:Java/CVE-2008-5353.SV

Exploit:Java/CVE-2008-5353.SV is a detection for an exploit that is based on a vulnerability which affects Java Virtual Machine (JVM) version 5 up to and including update 22, as well as version 6 up to and including update 10. The vulnerability allows an unsigned Java applet to gain elevated privileges and potentially have unrestricted access to a host system, outside its "sand box" environment.

 

The vulnerability exploits a relationship between serializable objects, the programming entities which can be persisted beyond the lifespan of a parent process, and a non-serializable super class constructor method defined in the derived class.

 

The vulnerability has been exploited by malware to gain access to a user's computer to download and install malicious programs. The malware installation may occur when a malicious Java applet is executed by a vulnerable JVM. This scenario can occur when a user visits a malicious webpage that hosts such an applet.

Exploit:Java/CVE-2008-5353.SV is 532 bytes "evilPolicy.class" file which is a part of 8429 bytes Java JAR package. The package also exports a java applet "SiteError.class". The applet instantiates the Managed Bean Server which is implemented in "CustomClass.class", "CustomClassLoaderRepository.class" and "CustomMBeanServer.class". "CustomClass" exploits the CVE-2008-5353 vulnerability, and runs "mosdef.class" and "evilPolicy.class". "mosdef.class" file is also found inside the JAR package. The "SiteError.class" applet reads the parameter "url" from the referencing HTML file, and uses this data to construct a URL for downloading a file for execution.

When the Java component "mosdef.class" runs, it may execute malicious programs from a specified website with elevated privileges. 

A number of legitimate websites could be compromised or unwillingly host a malicious applet through advertising frames which could redirect to or host a malicious Java applet. It is not uncommon for antivirus software to detect malicious Java applets in a web browser's cache. It doesn’t necessarily mean that the system is compromised. Most of the time it reflects the fact that, at some stage, a webpage with a malicious applet had been visited and cached internally. To thwart such a notification it is often enough to purge the cache using a web browser's configurable security options.