Added new "set security manager to null" heuristic to the MaliciousCodeScanner
This new heuristic will look for the following instruction sequence: aconst_null invokestatic java/lang/System.setSecurityManager This sequence will set the security manager to null, which is usually indicative of a malicious Java applet trying to escape the Java sandbox.
This commit is contained in:
Adrian Herrera
parent
e88eff5e32
commit
c67fb67fb6
2 changed files with 40 additions and 5 deletions
|
|
@ -17,7 +17,7 @@ import java.awt.event.ActionEvent;
|
|||
public class MaliciousCodeScannerOptions extends JFrame {
|
||||
public MaliciousCodeScannerOptions() {
|
||||
this.setIconImages(BytecodeViewer.iconList);
|
||||
setSize(new Dimension(250, 277));
|
||||
setSize(new Dimension(250, 300));
|
||||
setResizable(false);
|
||||
setTitle("Malicious Code Scanner Options");
|
||||
getContentPane().setLayout(null);
|
||||
|
|
@ -67,6 +67,12 @@ public class MaliciousCodeScannerOptions extends JFrame {
|
|||
chckbxLdcMatchesIp.setBounds(6, 189, 232, 23);
|
||||
getContentPane().add(chckbxLdcMatchesIp);
|
||||
|
||||
final JCheckBox chckbxNullSecMan = new JCheckBox(
|
||||
"SecurityManager set to null");
|
||||
chckbxNullSecMan.setSelected(true);
|
||||
chckbxNullSecMan.setBounds(6, 215, 232, 23);
|
||||
getContentPane().add(chckbxNullSecMan);
|
||||
|
||||
JButton btnNewButton = new JButton("Start Scanning");
|
||||
btnNewButton.addActionListener(new ActionListener() {
|
||||
public void actionPerformed(ActionEvent arg0) {
|
||||
|
|
@ -77,11 +83,11 @@ public class MaliciousCodeScannerOptions extends JFrame {
|
|||
chckbxLdcContainswww.isSelected(),
|
||||
chckbxLdcContainshttp.isSelected(),
|
||||
chckbxLdcContainshttps.isSelected(), chckbxLdcMatchesIp
|
||||
.isSelected()));
|
||||
.isSelected(), chckbxNullSecMan.isSelected()));
|
||||
dispose();
|
||||
}
|
||||
});
|
||||
btnNewButton.setBounds(6, 219, 232, 23);
|
||||
btnNewButton.setBounds(6, 245, 232, 23);
|
||||
getContentPane().add(btnNewButton);
|
||||
this.setLocationRelativeTo(null);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,10 +2,12 @@ package the.bytecode.club.bytecodeviewer.plugins;
|
|||
|
||||
import java.util.ArrayList;
|
||||
|
||||
import org.objectweb.asm.Opcodes;
|
||||
import org.objectweb.asm.tree.AbstractInsnNode;
|
||||
import org.objectweb.asm.tree.ClassNode;
|
||||
import org.objectweb.asm.tree.FieldNode;
|
||||
import org.objectweb.asm.tree.InsnList;
|
||||
import org.objectweb.asm.tree.InsnNode;
|
||||
import org.objectweb.asm.tree.LdcInsnNode;
|
||||
import org.objectweb.asm.tree.MethodInsnNode;
|
||||
import org.objectweb.asm.tree.MethodNode;
|
||||
|
|
@ -25,10 +27,11 @@ import the.bytecode.club.bytecodeviewer.api.PluginConsole;
|
|||
|
||||
public class MaliciousCodeScanner extends Plugin {
|
||||
|
||||
public boolean ORE, ONE, ORU, OIO, LWW, LHT, LHS, LIP;
|
||||
public boolean ORE, ONE, ORU, OIO, LWW, LHT, LHS, LIP, NSM;
|
||||
|
||||
public MaliciousCodeScanner(boolean reflect, boolean runtime, boolean net,
|
||||
boolean io, boolean www, boolean http, boolean https, boolean ip) {
|
||||
boolean io, boolean www, boolean http, boolean https, boolean ip,
|
||||
boolean nullSecMan) {
|
||||
ORE = reflect;
|
||||
ONE = net;
|
||||
ORU = runtime;
|
||||
|
|
@ -37,6 +40,7 @@ public class MaliciousCodeScanner extends Plugin {
|
|||
LHT = http;
|
||||
LHS = https;
|
||||
LIP = ip;
|
||||
NSM = nullSecMan;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
@ -77,6 +81,8 @@ public class MaliciousCodeScanner extends Plugin {
|
|||
}
|
||||
}
|
||||
|
||||
boolean prevInsn_aconst_null = false;
|
||||
|
||||
for (Object o : classNode.methods.toArray()) {
|
||||
MethodNode m = (MethodNode) o;
|
||||
|
||||
|
|
@ -111,6 +117,29 @@ public class MaliciousCodeScanner extends Plugin {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Check if the security manager is getting set to null
|
||||
if ((a instanceof InsnNode)
|
||||
&& (a.getOpcode() == Opcodes.ACONST_NULL)) {
|
||||
prevInsn_aconst_null = true;
|
||||
} else if ((a instanceof MethodInsnNode)
|
||||
&& (a.getOpcode() == Opcodes.INVOKESTATIC)) {
|
||||
final String owner = ((MethodInsnNode) a).owner;
|
||||
final String name = ((MethodInsnNode) a).name;
|
||||
if ((NSM && prevInsn_aconst_null
|
||||
&& owner.equals("java/lang/System") && name
|
||||
.equals("setSecurityManager"))) {
|
||||
sb.append("Found Security Manager set to null at method "
|
||||
+ classNode.name
|
||||
+ "."
|
||||
+ m.name
|
||||
+ "("
|
||||
+ m.desc + ")" + BytecodeViewer.nl);
|
||||
prevInsn_aconst_null = false;
|
||||
}
|
||||
} else {
|
||||
prevInsn_aconst_null = false;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue