Exploit:Java/CVE-2011-3544.E

Exploit:Java/CVE-2011-3544.E is a detection for a malicious Java applet stored within a Java Archive (.JAR) that attempts to exploit a vulnerability in a Java Runtime Environment (JRE) component in Oracle, JAVA SE JDK and JRE 7, 6 update 27 and earlier. The vulnerability, discussed in CVE-2011-3544, allows an unsigned Java applet to gain elevated privileges and potentially have unrestricted access to run arbitrary Java code outside of the "sandbox" environment.

Installation

Exploit:Java/CVE-2011-3544.E is distributed in a Java Archive (JAR) file format. The JAR file contains classes necessary to execute the exploit code implemented as a Java applet. The exploit takes advantage of the way Java handles Rhino JavaScript errors. Using the "toString()" method, a remote attacker may craft an error object in JavaScript which can call 'protected mode', enabling the malicious payload to run in a privileged context.

The JAR package may consist of the following class files:

• Final.class - malicious class detected as Exploit:Java/CVE-2011-3544.E
• q.class - a legitimate class from Allatori, a Java obfuscator

Payload

Downloads arbitrary files

Exploit:Java/CVE-2011-3544.E is used in drive-by download attacks. Any web browsers with vulnerable Java versions may be exposed to malicious code purposely designed to download and install arbitrary files, often malware.

Additional information

Exploit:Java/CVE-2011-3544.E has been observed being served through the Blackhole kit servers, an exploit that is currently prevalent in the wild.

Analysis by Methusela Cebrian Ferrer