Search...

Mac OS X - Java applet Remote Deserialization Remote PoC updated

2009-05-20T00:00:00

ID EDB-ID:8753
Type exploitdb
Reporter Landon Fuller
Modified 2009-05-20T00:00:00

Description

Mac OS X Java applet Remote Deserialization Remote PoC (updated). Remote exploit for osx platform

                                        
                                            Critical Mac OS X Java Vulnerabilities
Introduction

Five months ago, CVE-2008-5353 and other vulnerabilities were publicly
disclosed, and fixed by Sun.

CVE-2008-5353 allows malicious code to escape the Java sandbox and run
arbitrary commands with the permissions of the executing user. This may
result in untrusted Java applets executing arbitrary code  merely by
visiting a web page hosting the applet. The issue is trivially
exploitable.

Unfortunately, these vulnerabilities remain in Apple's shipping JVMs, as
well as Soylatte 1.0.3. As Soylatte does not provide browser plugins,
the impact of the vulnerability is reduced. The recent release of
OpenJDK6/Mac OS X is not affected by CVE-2008-5353.

Work-Arounds

    * Mac OS X users should disable Java applets in their browsers and
      disable 'Open "safe" files after downloading' in Safari.
    * Soylatte users running untrusted code should upgrade to an
      OpenJDK6-based release, where possible. No future releases of the
      JRL-based Soylatte branch are planned at this time. If this is an
      issue for you, please feel free to contact me.
    * No work-around is available for users otherwise running Java
      untrusted code.

Proof of Concept

Unfortunately, it seems that many Mac OS X security issues are ignored
if the severity of the issue is not adequately demonstrated. Due to the
fact that an exploit for this issue is available in the wild, and the
vulnerability has been public knowledge for six months, I have decided
to release a my own proof of concept to demonstrate the issue.

If you visit the following page, "/usr/bin/say" will be executed on your
system by a Java applet, with your current user permissions. This link
will execute code on your system with your current user permissions. The
proof of concept runs on fully-patched PowerPC and Intel Mac OS X
systems.

http://landonf.bikemonkey.org/static/moab-tests/CVE-2008-5353/hello.html

compiled/decompiled: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/8753.tgz (2009-javax.tgz)

# milw0rm.com [2009-05-20]

JSON Vulners Source

Initial Source

{"id": "EDB-ID:8753", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Mac OS X - Java applet Remote Deserialization Remote PoC updated", "description": "Mac OS X Java applet Remote Deserialization Remote PoC (updated). Remote exploit for osx platform", "published": "2009-05-20T00:00:00", "modified": "2009-05-20T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/8753/", "reporter": "Landon Fuller", "references": [], "cvelist": [], "lastseen": "2016-02-01T08:05:15", "viewCount": 7, "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2016-02-01T08:05:15", "rev": 2}, "dependencies": {"references": [], "modified": "2016-02-01T08:05:15", "rev": 2}, "vulnersScore": 0.0}, "sourceHref": "https://www.exploit-db.com/download/8753/", "sourceData": "Critical Mac OS X Java Vulnerabilities\r\nIntroduction\r\n\r\nFive months ago, CVE-2008-5353 and other vulnerabilities were publicly\r\ndisclosed, and fixed by Sun.\r\n\r\nCVE-2008-5353 allows malicious code to escape the Java sandbox and run\r\narbitrary commands with the permissions of the executing user. This may\r\nresult in untrusted Java applets executing arbitrary code merely by\r\nvisiting a web page hosting the applet. The issue is trivially\r\nexploitable.\r\n\r\nUnfortunately, these vulnerabilities remain in Apple's shipping JVMs, as\r\nwell as Soylatte 1.0.3. As Soylatte does not provide browser plugins,\r\nthe impact of the vulnerability is reduced. The recent release of\r\nOpenJDK6/Mac OS X is not affected by CVE-2008-5353.\r\n\r\nWork-Arounds\r\n\r\n * Mac OS X users should disable Java applets in their browsers and\r\n disable 'Open \"safe\" files after downloading' in Safari.\r\n * Soylatte users running untrusted code should upgrade to an\r\n OpenJDK6-based release, where possible. No future releases of the\r\n JRL-based Soylatte branch are planned at this time. If this is an\r\n issue for you, please feel free to contact me.\r\n * No work-around is available for users otherwise running Java\r\n untrusted code.\r\n\r\nProof of Concept\r\n\r\nUnfortunately, it seems that many Mac OS X security issues are ignored\r\nif the severity of the issue is not adequately demonstrated. Due to the\r\nfact that an exploit for this issue is available in the wild, and the\r\nvulnerability has been public knowledge for six months, I have decided\r\nto release a my own proof of concept to demonstrate the issue.\r\n\r\nIf you visit the following page, \"/usr/bin/say\" will be executed on your\r\nsystem by a Java applet, with your current user permissions. This link\r\nwill execute code on your system with your current user permissions. The\r\nproof of concept runs on fully-patched PowerPC and Intel Mac OS X\r\nsystems.\r\n\r\nhttp://landonf.bikemonkey.org/static/moab-tests/CVE-2008-5353/hello.html\r\n\r\ncompiled/decompiled: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/8753.tgz (2009-javax.tgz)\r\n\r\n# milw0rm.com [2009-05-20]\r\n", "osvdbidlist": []}