This module abuses the insecure invoke() method of the ProviderSkeleton class that allows to call arbitrary static methods with user supplied arguments. The vulnerability affects Java version 7u21 and earlier.

Module Name

exploit/multi/browser/java_jre17_provider_skeleton

Authors

• Adam Gowdiak
• Matthias Kaiser

References

• CVE-2013-2460
• OSVDB-94346
• URL: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
• URL: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/160cde99bb1a
• URL: http://www.security-explorations.com/materials/SE-2012-01-ORACLE-12.pdf
• URL: http://www.security-explorations.com/materials/se-2012-01-61.zip

Targets

• Generic (Java Payload)
• Windows x86 (Native Payload)
• Mac OS X x86 (Native Payload)
• Linux x86 (Native Payload)

Platforms

• java
• linux
• osx
• windows

Architectures

• java
• x86

Reliability

• Great

Development

• Source Code
• History

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

Related Vulnerabilities

• ELSA-2013-0957 Critical: Oracle Linux java-1.7.0-openjdk security update
• RHSA-2013:0957: java-1.7.0-openjdk security update
• Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 6
• RHSA-2013:0963: java-1.7.0-oracle security update
• DSA-2722-1 openjdk-7 -- several vulnerabilities
• SUSE Linux Security Vulnerability: CVE-2013-2460
• Java CPU June 2013 Java Runtime Environment Serviceability vulnerability (CVE-2013-2460)
• Amazon Linux AMI: Security patch for java-1.7.0-openjdk (ALAS-2013-204) (multiple CVEs)
• Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 5
• USN-1907-1: OpenJDK 7 vulnerabilities
• ELSA-2013-0958 Important: Oracle Linux java-1.7.0-openjdk security update
• RHSA-2013:1060: java-1.7.0-ibm security update
• RHSA-2013:0958: java-1.7.0-openjdk security update