cbcvebase.
CVE-2013-1488
published 2013-03-08

CVE-2013-1488: The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to execute arbitrary code…

PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
86.96%
99.7th percentile
The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to execute arbitrary code via unspecified vectors involving reflection, Libraries, "improper toString calls," and the JDBC driver manager, as demonstrated by James Forshaw during a Pwn2Own competition at CanSecWest 2013.

Affected

4 ranges
VendorProductVersion rangeFixed in
oraclejdk<= 1.7.0
oraclejdk
oraclejre<= 1.7.0
oraclejre

Detection & IOCsextracted from sources · hover to see the quote

pathdata/exploits/cve-2013-1488/Exploit.class
pathdata/exploits/cve-2013-1488/FakeDriver.class
pathdata/exploits/cve-2013-1488/FakeDriver2.class
pathMETA-INF/services/java.sql.Driver
filename*.jnlp
  • Detect delivery of a malicious JNLP file served with Content-Type 'application/x-java-jnlp-file' from a web server, particularly when followed by a JAR download — indicative of the CVE-2013-1488 exploit chain.
  • Detect use of the Internet Explorer ActiveX control to silently launch a JNLP file (Java Web Start), which is the click-to-play bypass mechanism used by this exploit.
  • Detect JAR files served with Content-Type 'application/octet-stream' that contain a 'META-INF/services/java.lang.Object' entry — an anomalous ServiceLoader abuse pattern used by this exploit.
  • ·The exploit randomizes class names and JAR entry names at runtime (e.g., 'Exploit' class name and 'metasploit'/'Payload' strings are replaced with random alpha strings), so static string-based signatures on those names will be evaded.
  • ·The JNLP filename is randomized per session, so URL-path signatures based on a fixed JNLP filename will not reliably detect this exploit.
  • ·The click-to-play bypass via ActiveX/JNLP applies primarily to Internet Explorer; on other browsers the applet loads normally without the bypass, so detection logic may need to differ by browser context.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.