/*

This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.

*/

rule CVE_2013_0422

{

meta:

description = "Java Applet JMX Remote Code Execution"

cve = "CVE-2013-0422"

ref = "http://pastebin.com/JVedyrCe"

author = "adnan.shukor@gmail.com"

date = "12-Jan-2013"

version = "1"

impact = 4

hide = false

strings:

$0422_1 = "com/sun/jmx/mbeanserver/JmxMBeanServer" fullword

$0422_2 = "com/sun/jmx/mbeanserver/JmxMBeanServerBuilder" fullword

$0422_3 = "com/sun/jmx/mbeanserver/MBeanInstantiator" fullword

$0422_4 = "findClass" fullword

$0422_5 = "publicLookup" fullword

$class = /sun\.org\.mozilla\.javascript\.internal\.(Context|GeneratedClassLoader)/ fullword

condition:

(all of ($0422_*)) or (all of them)

}