Skip to content

Commit c67fb67

Browse files
adrianherreraadrianherrera
committed
Added new "set security manager to null" heuristic to the MaliciousCodeScanner
This new heuristic will look for the following instruction sequence: aconst_null invokestatic java/lang/System.setSecurityManager This sequence will set the security manager to null, which is usually indicative of a malicious Java applet trying to escape the Java sandbox.
1 parent e88eff5 commit c67fb67

File tree

2 files changed

+40
-5
lines changed

2 files changed

+40
-5
lines changed

src/the/bytecode/club/bytecodeviewer/gui/MaliciousCodeScannerOptions.java

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@
1717
public class MaliciousCodeScannerOptions extends JFrame {
1818
public MaliciousCodeScannerOptions() {
1919
this.setIconImages(BytecodeViewer.iconList);
20-
setSize(new Dimension(250, 277));
20+
setSize(new Dimension(250, 300));
2121
setResizable(false);
2222
setTitle("Malicious Code Scanner Options");
2323
getContentPane().setLayout(null);
@@ -67,6 +67,12 @@ public MaliciousCodeScannerOptions() {
6767
chckbxLdcMatchesIp.setBounds(6, 189, 232, 23);
6868
getContentPane().add(chckbxLdcMatchesIp);
6969

70+
final JCheckBox chckbxNullSecMan = new JCheckBox(
71+
"SecurityManager set to null");
72+
chckbxNullSecMan.setSelected(true);
73+
chckbxNullSecMan.setBounds(6, 215, 232, 23);
74+
getContentPane().add(chckbxNullSecMan);
75+
7076
JButton btnNewButton = new JButton("Start Scanning");
7177
btnNewButton.addActionListener(new ActionListener() {
7278
public void actionPerformed(ActionEvent arg0) {
@@ -77,11 +83,11 @@ public void actionPerformed(ActionEvent arg0) {
7783
chckbxLdcContainswww.isSelected(),
7884
chckbxLdcContainshttp.isSelected(),
7985
chckbxLdcContainshttps.isSelected(), chckbxLdcMatchesIp
80-
.isSelected()));
86+
.isSelected(), chckbxNullSecMan.isSelected()));
8187
dispose();
8288
}
8389
});
84-
btnNewButton.setBounds(6, 219, 232, 23);
90+
btnNewButton.setBounds(6, 245, 232, 23);
8591
getContentPane().add(btnNewButton);
8692
this.setLocationRelativeTo(null);
8793
}

src/the/bytecode/club/bytecodeviewer/plugins/MaliciousCodeScanner.java

Lines changed: 31 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,10 +2,12 @@
22

33
import java.util.ArrayList;
44

5+
import org.objectweb.asm.Opcodes;
56
import org.objectweb.asm.tree.AbstractInsnNode;
67
import org.objectweb.asm.tree.ClassNode;
78
import org.objectweb.asm.tree.FieldNode;
89
import org.objectweb.asm.tree.InsnList;
10+
import org.objectweb.asm.tree.InsnNode;
911
import org.objectweb.asm.tree.LdcInsnNode;
1012
import org.objectweb.asm.tree.MethodInsnNode;
1113
import org.objectweb.asm.tree.MethodNode;
@@ -25,10 +27,11 @@
2527

2628
public class MaliciousCodeScanner extends Plugin {
2729

28-
public boolean ORE, ONE, ORU, OIO, LWW, LHT, LHS, LIP;
30+
public boolean ORE, ONE, ORU, OIO, LWW, LHT, LHS, LIP, NSM;
2931

3032
public MaliciousCodeScanner(boolean reflect, boolean runtime, boolean net,
31-
boolean io, boolean www, boolean http, boolean https, boolean ip) {
33+
boolean io, boolean www, boolean http, boolean https, boolean ip,
34+
boolean nullSecMan) {
3235
ORE = reflect;
3336
ONE = net;
3437
ORU = runtime;
@@ -37,6 +40,7 @@ public MaliciousCodeScanner(boolean reflect, boolean runtime, boolean net,
3740
LHT = http;
3841
LHS = https;
3942
LIP = ip;
43+
NSM = nullSecMan;
4044
}
4145

4246
@Override
@@ -77,6 +81,8 @@ public void execute(ArrayList<ClassNode> classNodeList) {
7781
}
7882
}
7983

84+
boolean prevInsn_aconst_null = false;
85+
8086
for (Object o : classNode.methods.toArray()) {
8187
MethodNode m = (MethodNode) o;
8288

@@ -111,6 +117,29 @@ public void execute(ArrayList<ClassNode> classNodeList) {
111117
}
112118
}
113119
}
120+
121+
// Check if the security manager is getting set to null
122+
if ((a instanceof InsnNode)
123+
&& (a.getOpcode() == Opcodes.ACONST_NULL)) {
124+
prevInsn_aconst_null = true;
125+
} else if ((a instanceof MethodInsnNode)
126+
&& (a.getOpcode() == Opcodes.INVOKESTATIC)) {
127+
final String owner = ((MethodInsnNode) a).owner;
128+
final String name = ((MethodInsnNode) a).name;
129+
if ((NSM && prevInsn_aconst_null
130+
&& owner.equals("java/lang/System") && name
131+
.equals("setSecurityManager"))) {
132+
sb.append("Found Security Manager set to null at method "
133+
+ classNode.name
134+
+ "."
135+
+ m.name
136+
+ "("
137+
+ m.desc + ")" + BytecodeViewer.nl);
138+
prevInsn_aconst_null = false;
139+
}
140+
} else {
141+
prevInsn_aconst_null = false;
142+
}
114143
}
115144
}
116145
}

0 commit comments

Comments
 (0)