CVE-2013-1488
published 2013-03-08CVE-2013-1488: The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to execute arbitrary code…
PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
86.96%
99.7th percentile
The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to execute arbitrary code via unspecified vectors involving reflection, Libraries, "improper toString calls," and the JDBC driver manager, as demonstrated by James Forshaw during a Pwn2Own competition at CanSecWest 2013.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | jdk | <= 1.7.0 | — |
| oracle | jdk | — | — |
| oracle | jre | <= 1.7.0 | — |
| oracle | jre | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect delivery of a malicious JNLP file served with Content-Type 'application/x-java-jnlp-file' from a web server, particularly when followed by a JAR download — indicative of the CVE-2013-1488 exploit chain. ↗
- →Detect use of the Internet Explorer ActiveX control to silently launch a JNLP file (Java Web Start), which is the click-to-play bypass mechanism used by this exploit. ↗
- →Detect JAR files served with Content-Type 'application/octet-stream' that contain a 'META-INF/services/java.lang.Object' entry — an anomalous ServiceLoader abuse pattern used by this exploit. ↗
- ·The exploit randomizes class names and JAR entry names at runtime (e.g., 'Exploit' class name and 'metasploit'/'Payload' strings are replaced with random alpha strings), so static string-based signatures on those names will be evaded. ↗
- ·The JNLP filename is randomized per session, so URL-path signatures based on a fixed JNLP filename will not reliably detect this exploit. ↗
- ·The click-to-play bypass via ActiveX/JNLP applies primarily to Internet Explorer; on other browsers the applet loads normally without the bypass, so detection logic may need to differ by browser context. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
OpenJDK 6 vulnerabilities
vendor_ubuntu·2013-05-07·CVSS 10.0
CVE-2013-0401 [CRITICAL] OpenJDK 6 vulnerabilities
Title: OpenJDK 6 vulnerabilities
Summary: Several security issues were fixed in OpenJDK 6.
Ben Murphy discovered a vulnerability in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit this
to execute arbitrary code. (CVE-2013-0401)
James Forshaw discovered a vulnerability in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit this to execute arbitrary code. (CVE-2013-1488)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2013-1518, CVE-2013-1537, CVE-2013-1557, CVE-2013-1558,
CVE-2013-1569, CVE-2013-23
Ubuntu
OpenJDK 7 vulnerabilities
vendor_ubuntu·2013-04-23·CVSS 10.0
CVE-2013-0401 [CRITICAL] OpenJDK 7 vulnerabilities
Title: OpenJDK 7 vulnerabilities
Summary: Several security issues were fixed in OpenJDK 7.
Ben Murphy discovered a vulnerability in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit this
to execute arbitrary code. (CVE-2013-0401)
James Forshaw discovered a vulnerability in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit this to execute arbitrary code. (CVE-2013-1488)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2013-1518, CVE-2013-1537, CVE-2013-1557, CVE-2013-1569,
CVE-2013-2383, CVE-2013-23
Red Hat
OpenJDK: JDBC driver manager improper toString calls (CanSecWest 2013, Libraries, 8009814)
vendor_redhat·2013-04-16·CVSS 10.0
CVE-2013-1488 [CRITICAL] OpenJDK: JDBC driver manager improper toString calls (CanSecWest 2013, Libraries, 8009814)
OpenJDK: JDBC driver manager improper toString calls (CanSecWest 2013, Libraries, 8009814)
The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to execute arbitrary code via unspecified vectors involving reflection, Libraries, "improper toString calls," and the JDBC driver manager, as demonstrated by James Forshaw during a Pwn2Own competition at CanSecWest 2013.
Package: java-1.6.0-sun (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.6.0-sun (Red Hat Enterprise Linux 6) - Not affected
Red Hat
OpenJDK: Wrapper.convert insufficient type checks (Libraries, 8009049)
vendor_redhat·2013-04-16·CVSS 10.0
CVE-2013-2436 [CRITICAL] OpenJDK: Wrapper.convert insufficient type checks (Libraries, 8009049)
OpenJDK: Wrapper.convert insufficient type checks (Libraries, 8009049)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-1488 and CVE-2013-2426. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect "type checks" and "method handle binding" involving Wrapper.convert.
Package: java-1.6.0-openjdk (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.6.0-sun (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.6.0-openjdk (Red Hat Enterpri
GHSA
GHSA-6hc9-6xww-76p2: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote atta
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2013-2436 [CRITICAL] GHSA-6hc9-6xww-76p2: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote atta
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-1488 and CVE-2013-2426. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect "type checks" and "method handle binding" involving Wrapper.convert.
GHSA
GHSA-f2f6-qfp8-5hcm: The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to execute arbitr
ghsa_unreviewed·2022-05-17
CVE-2013-1488 [HIGH] CWE-94 GHSA-f2f6-qfp8-5hcm: The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to execute arbitr
The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to execute arbitrary code via unspecified vectors involving reflection, Libraries, "improper toString calls," and the JDBC driver manager, as demonstrated by James Forshaw during a Pwn2Own competition at CanSecWest 2013.
No detection rules found.
Exploit-DB
Java Applet - Driver Manager Privileged 'toString()' Remote Code Execution (Metasploit)
exploitdb·2013-06-11
CVE-2013-1488 Java Applet - Driver Manager Privileged 'toString()' Remote Code Execution (Metasploit)
Java Applet - Driver Manager Privileged 'toString()' Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
class Metasploit3 false })
def initialize( info = {} )
super( update_info( info,
'Name' => 'Java Applet Driver Manager Privileged toString() Remote Code Execution',
'Description' => %q{
This module abuses the java.sql.DriverManager class where the toString() method
is called over user supplied classes, from a doPrivileged block. The vulnerability
affects Java version 7u17 and earlier. This exploit bypasses click-to-play on IE
thr
Metasploit
Java Applet Driver Manager Privileged toString() Remote Code Execution
metasploit
Java Applet Driver Manager Privileged toString() Remote Code Execution
Java Applet Driver Manager Privileged toString() Remote Code Execution
This module abuses the java.sql.DriverManager class where the toString() method is called over user supplied classes from a doPrivileged block. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play on Internet Explorer and throws a specially crafted JNLP file. This bypass is applicable mainly to IE, where Java Web Start can be launched automatically through the ActiveX control. Otherwise, the applet is launched without click-to-play bypass.
http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/http://blog.fuseyism.com/index.php/2013/04/25/security-icedtea-1-11-11-1-12-5-for-openjdk-6-released/http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/a19614a3dabbhttp://lists.opensuse.org/opensuse-security-announce/2013-05/msg00007.htmlhttp://lists.opensuse.org/opensuse-updates/2013-05/msg00017.htmlhttp://lists.opensuse.org/opensuse-updates/2013-06/msg00099.htmlhttp://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022796.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0752.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0757.htmlhttp://security.gentoo.org/glsa/glsa-201406-32.xmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:145http://www.mandriva.com/security/advisories?name=MDVSA-2013:161http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.htmlhttp://www.ubuntu.com/usn/USN-1806-1http://www.us-cert.gov/ncas/alerts/TA13-107Ahttp://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/https://bugzilla.redhat.com/show_bug.cgi?id=920247https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16511https://twitter.com/thezdi/status/309425888188043264https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0124https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/http://blog.fuseyism.com/index.php/2013/04/25/security-icedtea-1-11-11-1-12-5-for-openjdk-6-released/http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/a19614a3dabbhttp://lists.opensuse.org/opensuse-security-announce/2013-05/msg00007.htmlhttp://lists.opensuse.org/opensuse-updates/2013-05/msg00017.htmlhttp://lists.opensuse.org/opensuse-updates/2013-06/msg00099.htmlhttp://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022796.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0752.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0757.htmlhttp://security.gentoo.org/glsa/glsa-201406-32.xmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:145http://www.mandriva.com/security/advisories?name=MDVSA-2013:161http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.htmlhttp://www.ubuntu.com/usn/USN-1806-1http://www.us-cert.gov/ncas/alerts/TA13-107Ahttp://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/https://bugzilla.redhat.com/show_bug.cgi?id=920247https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16511https://twitter.com/thezdi/status/309425888188043264https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0124https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130
2013-03-08
Published