module
Sun Java Web Start Double Quote Injection
| Disclosed | Created |
|---|---|
| 10/16/2012 | 05/30/2018 |
Disclosed
10/16/2012
Created
05/30/2018
Description
This module exploits a flaw in the Web Start component of the Sun Java
Runtime Environment. Parameters initial-heap-size and max-heap-size in a JNLP
file can contain a double quote which is not properly sanitized when creating
the command line for javaw.exe. This allows the injection of the -XXaltjvm
option to load a jvm.dll from a remote UNC path into the java process. Thus
an attacker can execute arbitrary code in the context of a browser user.
This flaw was fixed in Oct. 2012 and affects JRE
In order for this module to work, it must be run as root on a server that
does not serve SMB (In most cases, this means non-Windows hosts). Additionally,
the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.
Alternatively, a UNC path containing a jvm.dll can be specified, bypassing
the Windows limitation for the Metasploit host.
Runtime Environment. Parameters initial-heap-size and max-heap-size in a JNLP
file can contain a double quote which is not properly sanitized when creating
the command line for javaw.exe. This allows the injection of the -XXaltjvm
option to load a jvm.dll from a remote UNC path into the java process. Thus
an attacker can execute arbitrary code in the context of a browser user.
This flaw was fixed in Oct. 2012 and affects JRE
In order for this module to work, it must be run as root on a server that
does not serve SMB (In most cases, this means non-Windows hosts). Additionally,
the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.
Alternatively, a UNC path containing a jvm.dll can be specified, bypassing
the Windows limitation for the Metasploit host.
Author
Rh0
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/windows/browser/java_ws_double_quote
msf /(e) > show actions
...actions...
msf /(e) > set ACTION < action-name >
msf /(e) > show options
...show and set options...
msf /(e) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.