cbcvebase.
CVE-2013-2423
published 2013-04-17

CVE-2013-2423: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to…

PriorityP186low3.7CVSS 3.1
AVNACHPRNUINSUCNILAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
85.33%
99.7th percentile
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager.

Affected

3 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
opensuseopensuse
oraclejre

Detection & IOCsextracted from sources · hover to see the quote

hash164de09635532bb0a4fbe25ef3058b86dac332a03629fc91095a4c7841b559da
hash1218d79fca1aca48e13a5e6e582cdc5c4d24c3367328c56d61d975a757509335
hashac9294849559c94d5e85cb113ce8ca61bca2e576a97a9e81f66321496ddada61
hash5ee0761f5eda01985d5f93a5e50a1247fb5c17deba1d471b05fc09751d09a08e
hasha26f3225aa7e7b5263033dee682153fb7a4332429782c5755a9eaebe8a5df095
hashD667833E4915C385321B553785732BBED3009C2A
hash334eeaf5ea3920b612b4e26bbe3e0cccbc431c2e
ip93.171.216.118
ip93.188.161.235
urlhxxp://93.188.161[.]235/check2/muees27jxt/shot.jpg
urlhxxp://93.188.161[.]235/check2/muees27jxt/tl.jpg
urlhxxp://93.188.161[.]235/check2/muees27jxt/fl.jpg
urlhxxp://93.188.161[.]235/check2/muees27jxt/inf.jpg
pathC:\Documents and Settings\Administrator\Application Data\ Broker services\WbemMonitor .exe
pathC:\Documents and Settings\Administrator\Application Data\ Broker services\plugs\mmc.exe
filenamentsys391.exe
url/check_value.php
uaOpera/10.35 Presto/2.2.30
domain9euei.info
domainkvmhja.info
domainsdjeu7.info
domainadiwep.info
domaind0e9ue.info
domainidueya.info
domainsdioep.info
domainsieod.info
pathdata/exploits/jre7u17/Exploit.class
snort
SIDs: 26569 through 26572, 26603 and 26668
  • The LightsOut exploit kit uses JavaScript IDS evasion by embedding digits within strings that must be removed to reveal the actual string (e.g., 'forName' encoded as '836f4974362o65679305r82637150N61617044a77736359m99323481e9388').
  • The CVE-2013-2423 exploit was distributed via malvertising through ad networks yieldmanager.net, smxchange.com, and glispa.com redirecting to FlimKit drop domains.
  • The dropper executable copies itself with a trailing space in the filename ('WbemMonitor .exe') under a 'Broker services' directory in AppData, which is an evasion technique to detect.
  • The Styx exploit kit referenced CVE-2013-2423 internally as exploit number '12'; traffic analysis of Styx panels can use this numbering to identify the specific exploit being served.
  • ·The exploit does not bypass click-to-play in the basic Metasploit module variant; the user must accept the Java security warning for the malicious applet to execute.
  • ·A separate Metasploit module variant (rapid7/metasploit-framework) does bypass click-to-play via a specially crafted JNLP file, but this bypass applies mainly to IE via the Java Web Start ActiveX control.

CVSS provenance

nvdv3.13.7LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck3.7LOW
cisa3.7LOW
vendor_ubuntu10.0CRITICAL
vendor_redhat3.7LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.