Using Leftover JREs: A Proof of Concept Java Exploit
This article demonstrates a proof of concept Java exploit using leftover JREs on an up-to-date machine. It explores the topic of patching Java and the potential vulnerabilities that can arise from having older versions still present.
Background
When patching Java on MS Windows, the JRE (Java Runtime Environment) is updated to the latest version. However, the JDK (Java Development Kit) is updated through a new jdk<version> folder, which also contains a JRE.
Oracle allows users to choose the version of Java to run in an applet, which opens the door to potential security risks.
The Proof of Concept
The author proposes a proof of concept scenario:
- Someone with an up-to-date Java install connects to a web page with a ‘malicious’ applet
- ‘Bad’ things happen, indicating that the user has been hacked
The author initially considered writing a minimal applet and using Metasploit to execute the actual attack. However, Metasploit payloads are not easily configurable to target older versions of Java.
Possible Solutions
The answer suggests a couple of approaches:
- Copying the preferred Metasploit (MSF) module with a different name and modifying the generated HTML embed code to contain the java_version attribute.
- Creating a new configurable parameter in MSF to allow targeting specific Java versions.
Additionally, the use of an intercepting proxy like MitMproxy is recommended. This proxy can automatically embed or replace the appropriate java_version attribute in the HTTP response generated by MSF, allowing for testing of multiple modules with the same setup.
By exploring these options, users can gain a better understanding of the potential risks associated with leftover JREs and take appropriate steps to mitigate them.