Tag Archives: CVE-2012-4681

(Mis)Adventures in Java “Privilege Escalation”

If you are pretty familiar with Java development, this post will seem silly to you.  But I’m not.  Many times, you can learn a lot from failures as well, so this one I’d like to document.

Basically, I had gotten a command prompt as a lower privileged user on a machine.  I was looking to get administrator access somehow, and I noticed that Java 7 Update 4 was running, which is vulnerable to CVE-2012-4681.  You always hear of this one as a “privilege escalation” exploit, so I thought by popping out of the Java sandbox, you’d also pop out as an administrative user.

News flash.  It doesn’t work that way.  The exploit works, but you pop out of the sandbox as the same user as you ran the command.

I’m going to explain how to do it anyway.  Those Java developers can stop here, but the rest of us might still learn something.

What do I start out with?

Most exploits are captured via twitter, or some sort of pastebin website.  Usually with twitter linking to a pastebin, which is the case here.  The source code was tweeted by @jduck1337 pointing to pastie.org/4594319.  Grab the source code from there because that’s what we’re going to start out with.

Also, don’t forget to install a vulnerable version of Java.  Any Java 7 version at revision 7 or below should work.

I have my code, now what do I do with it?

You can see the class is called Gondvv.  So you’ll need to save that file as Gondvv.java.  Then erase that first line that says: package cve2012xxxx;  This will be a standalone file, not a package.

You’ll notice a bunch of jibberish, but near the end of the file you’ll see the purpose is simply to open calc.exe.  So no worries – the code as it stands is not actually malicious.

Finally, compile your code.  Go to the command prompt, browse to where your Gondvv.java file is, and type the following:

javac Gondvv.java

That was easy.  This should have created a Gondvv.class file.  Now since this was originally meant to run as a Java applet, you’ll need to create an HTML file with the following source:

<applet align=”center” code=”Gondvv.class” width=”800″ height=”500″></applet>

That alone will do it.  Run your HTML file, and your calculator will pop up.  Congrats, you successfully exploited the vulnerability!

java exploited

How about privilege escalation?

The next step was to make this a command line prompt.  Remember, I had command line as a lower privileged user already.  I was hoping to run commands inside this program to be higher privileged. So the next step was to strip away all the Java applet stuff.

So strip away the java.applet.Applet and java.awt.Graphics import lines.  Also make it so the public class Gondvv doesn’t extend Applet.  Then all the classes need to get the “static” keyword added to them.  Remove the very last paint class.  Finally, the public void init() class needs to be renamed to public static void main(String[] args).  The end result looks like the following:

(looked terrible here. Pasted it on pastebin)

Then compile it the same as before, and run it with:

java Gondvv

Calculator should pop up!  Not so exciting, but you can see it is working.  In order to see who is actually running it, you can just have it run “whoami.exe” or something along those lines.  Had it actually worked, I would have made it run a netcat listener or a meterpreter payload or something.

What if I just want a .jar file?

Don’t want to use the java keyword before running your file?  Make a .jar file.  You’ll first need to create a manifest.txt file.  The contents should be as follows:

Main-Class: Gondvv

Then at the command line, simply type the following to create your .jar file:

jar cvfm javahack.jar manifest.txt *.class

Bingo, now you can just run the jar file.  Enough Java for one day.

Java Exploits

New Java Exploits are raining!  I’m going to use this post to collect some data on them.

CVE-2013-1493 (Java 7 Update 15, Java 6 Update 41)
Date: February 2013
Pastebin:
Metasploit module:
Interesting blog posting:
http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html
http://krebsonsecurity.com/2013/03/new-java-0-day-attack-echoes-bit9-breach/

CVE-2013-0431 (Java 7 Update 11)
Date: February 2013
Pastebin: http://pastebin.com/QWU1rqjf
Metasploit module: exploit/multi/browser/java_jre17_jmxbean_2
Interesting blog postings:
http://security-obscurity.blogspot.it/2013/02/deobfuscating-java-7u11-exploit-from.html

CVE-2013-0422 (Java 1.7 Update 10)
Date: January 2013
Pastebin: http://pastebin.com/cUG2ayjh
Metasploit module: exploit/multi/browser/java_jre17_jmxbean
Interesting blog postings:
http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
https://community.rapid7.com/community/metasploit/blog/2013/01/11/omg-java-everybody-panic
http://www.reddit.com/r/netsec/comments/16b4n1/0day_exploit_fo_java_17u10_spotted_in_the_wild/
http://www.reddit.com/r/netsec/comments/ywbhq/new_java_0day_exploited_in_the_wild/
http://www.reddit.com/r/netsec/comments/16buer/source_code_for_the_java_7_0day/

CVE-2012-4681 (Java 7 Update 6)
Date: August 2012
Pastebin: http://pastie.org/4594319
Metasploit Module: exploit/multi/browser/java_jre17_exec
Interesting blog postings:
http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html 
https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day

http://krebsonsecurity.com/2012/08/attackers-pounce-on-zero-day-java-exploit/

CVE-2012-0507 (Java 7 Update 2, Java 6 Update 30)
Date: March 2012
Pastebin: http://pastebin.com/TtZSt4u4 and http://pastebin.com/ms5Sk009
Metasploit Module: exploit/multi/browser/java_atomicreferencearray
Interesting blog postings:
https://community.rapid7.com/community/metasploit/blog/2012/03/29/cve-2012-0507–java-strikes-again