Skip to content
cyberexploits
remotemacostext

Apple Mac OSX - Java applet Remote Deserialization Remote (PoC) (2)

Apple Mac OSX - Java applet Remote Deserialization Remote (PoC) (2)

Publié le 2009-05-20

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/osx/remote/8753.txt7eac4c3a
raw
Critical Mac OS X Java Vulnerabilities

Introduction



Five months ago, CVE-2008-5353 and other vulnerabilities were publicly

disclosed, and fixed by Sun.



CVE-2008-5353 allows malicious code to escape the Java sandbox and run

arbitrary commands with the permissions of the executing user. This may

result in untrusted Java applets executing arbitrary code  merely by

visiting a web page hosting the applet. The issue is trivially

exploitable.



Unfortunately, these vulnerabilities remain in Apple's shipping JVMs, as

well as Soylatte 1.0.3. As Soylatte does not provide browser plugins,

the impact of the vulnerability is reduced. The recent release of

OpenJDK6/Mac OS X is not affected by CVE-2008-5353.



Work-Arounds



    * Mac OS X users should disable Java applets in their browsers and

      disable 'Open "safe" files after downloading' in Safari.

    * Soylatte users running untrusted code should upgrade to an

      OpenJDK6-based release, where possible. No future releases of the

      JRL-based Soylatte branch are planned at this time. If this is an

      issue for you, please feel free to contact me.

    * No work-around is available for users otherwise running Java

      untrusted code.



Proof of Concept



Unfortunately, it seems that many Mac OS X security issues are ignored

if the severity of the issue is not adequately demonstrated. Due to the

fact that an exploit for this issue is available in the wild, and the

vulnerability has been public knowledge for six months, I have decided

to release a my own proof of concept to demonstrate the issue.



If you visit the following page, "/usr/bin/say" will be executed on your

system by a Java applet, with your current user permissions. This link

will execute code on your system with your current user permissions. The

proof of concept runs on fully-patched PowerPC and Intel Mac OS X

systems.



http://landonf.bikemonkey.org/static/moab-tests/CVE-2008-5353/hello.html



compiled/decompiled: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/8753.tgz (2009-javax.tgz)



# milw0rm.com [2009-05-20]

Voir sur GitHub