Sun Java JRE Multiple Vulnerabilities (244986 et al) - Nessus

High   Plugin ID: 35030

---

This page contains detailed information about the Sun Java JRE Multiple Vulnerabilities (244986 et al) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 35030
Name: Sun Java JRE Multiple Vulnerabilities (244986 et al)
Filename: sun_java_jre_244986.nasl
Vulnerability Published: N/A
This Plugin Published: 2008-12-04
Last Modification Time: 2022-04-11
Plugin Version: 1.34
Plugin Type: local
Plugin Family: Windows
Dependencies: sun_java_jre_installed.nasl
Required KB Items [?]: SMB/Java/JRE/Installed

Vulnerability Information

---

Severity: High
Vulnerability Published: N/A
Patch Published: 2008-12-03
CVE [?]: CVE-2008-2086, CVE-2008-5339, CVE-2008-5340, CVE-2008-5341, CVE-2008-5342, CVE-2008-5343, CVE-2008-5344, CVE-2008-5345, CVE-2008-5346, CVE-2008-5347, CVE-2008-5348, CVE-2008-5349, CVE-2008-5350, CVE-2008-5351, CVE-2008-5352, CVE-2008-5353, CVE-2008-5354, CVE-2008-5355, CVE-2008-5356, CVE-2008-5357, CVE-2008-5358, CVE-2008-5359, CVE-2008-5360
CPE [?]: cpe:/a:oracle:jre
Exploited by Malware: True

Synopsis

The remote Windows host contains a runtime environment that is affected by multiple vulnerabilities.

Description

The version of Sun Java Runtime Environment (JRE) installed on the remote host is earlier than 6 Update 11 / 5.0 Update 17 / 1.4.2_19 / 1.3.1_24. Such versions are potentially affected by the following security issues :

- The JRE creates temporary files with insufficiently random names. (244986)

- There are multiple buffer overflow vulnerabilities involving the JRE's image processing code, its handling of GIF images, and its font processing. (244987)

- It may be possible for an attacker to bypass security checks due to the manner in which it handles the 'non-shortest form' of UTF-8 byte sequences.

- There are multiple security vulnerabilities in Java Web Start and Java Plug-in that may allow for privilege escalation. (244988)

- The JRE Java Update mechanism does not check the digital signature of the JRE that it downloads. (244989)

- A buffer overflow may allow an untrusted Java application that is launched through the commandline to escalate its privileges. (244990)

- A vulnerability related to deserializing calendar objects may allow an untrusted applet or application to escalate its privileges. (244991)

- A buffer overflow affects the 'unpack200' JAR unpacking utility and may allow an untrusted applet or application to escalate its privileges with unpacking applets and Java Web Start applications. (244992)

- The UTF-8 decoder accepts encodings longer than the 'shortest' form. Although not a vulnerability per se, it may be leveraged to exploit software that relies on the JRE UTF-8 decoder to reject the 'non-shortest form' sequence. (245246)

- An untrusted applet or application may be able to list the contents of the home directory of the user running the applet or application. (246266)

- A denial of service vulnerability may be triggered when the JRE handles certain RSA public keys. (246286)

- A vulnerability may be triggered while authenticating users through Kerberos and lead to a system-wide denial of service due to excessive consumption of operating system resources. (246346)

- Security vulnerabilities in the JAX-WS and JAXB packages where internal classes can be accessed may allow an untrusted applet or application to escalate privileges. (246366)

- An untrusted applet or application when parsing zip files may be able to read arbitrary memory locations in the process that the applet or application is running. (246386)

- The JRE allows code loaded from the local filesystem to access localhost. (246387)

Solution

Update to Sun Java JDK / JRE 6 Update 11, JDK / JRE 5.0 Update 17, SDK / JRE 1.4.2_19, or SDK / JRE 1.3.1_24 or later and remove if necessary any affected versions.

Public Exploits

---

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Immunity Canvas, Core Impact, D2 Elliot)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Sun Java JRE Multiple Vulnerabilities (244986 et al) vulnerability:

1. Metasploit: exploit/multi/browser/java_calendar_deserialize
   [Sun Java Calendar Deserialization Privilege Escalation]
2. Exploit-DB: exploits/osx/remote/8753.txt
   [EDB-8753: Apple Mac OSX - Java applet Remote Deserialization Remote (2)]
3. Exploit-DB: exploits/multiple/remote/9948.rb
   [EDB-9948: Sun Java Runtime and Development Kit 6 Update 10 - Calendar Deserialization (Metasploit)]
4. Exploit-DB: exploits/multiple/remote/16293.rb
   [EDB-16293: Sun Java - Calendar Deserialization (Metasploit)]
5. Exploit-DB: exploits/multiple/remote/16302.rb
   [EDB-16302: Signed Applet Social Engineering - Code Execution (Metasploit)]
6. GitHub: https://github.com/LAIR-RCC/InfSecurityRussianNLP
   [CVE-2008-5353]
7. GitHub: https://github.com/svartkanin/source_code_analyzer
   [CVE-2008-5353]
8. GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/8753.tgz
   [EDB-8753]
9. D2 Elliot: apache_tomcat_file_disclosure.html
   [Apache Tomcat File Disclosure]
10. Immunity Canvas: CANVAS

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

---

CVSS V2 Vector [?]: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C

CVSS Base Score:	9.3 (High)
Impact Subscore:	10.0
Exploitability Subscore:	8.6
CVSS Temporal Score:	8.1 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	8.1 (High)

CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CVSS Base Score:	8.8 (High)
Impact Subscore:	5.9
Exploitability Subscore:	2.8
CVSS Temporal Score:	8.4 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	8.4 (High)

Go back to menu.

Plugin Source

---

This is the sun_java_jre_244986.nasl nessus plugin source code. This script is Copyright (C) 2008-2022 Tenable Network Security, Inc.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

if (NASL_LEVEL < 3000) exit(0);

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(35030);
  script_version("1.34");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id(
    "CVE-2008-2086",
    "CVE-2008-5339",
    "CVE-2008-5340",
    "CVE-2008-5341",
    "CVE-2008-5342",
    "CVE-2008-5343",
    "CVE-2008-5344",
    "CVE-2008-5345",
    "CVE-2008-5346",
    "CVE-2008-5347",
    "CVE-2008-5348",
    "CVE-2008-5349",
    "CVE-2008-5350",
    "CVE-2008-5351",
    "CVE-2008-5352",
    "CVE-2008-5353",
    "CVE-2008-5354",
    "CVE-2008-5355",
    "CVE-2008-5356",
    "CVE-2008-5357",
    "CVE-2008-5358",
    "CVE-2008-5359",
    "CVE-2008-5360"
  );
  script_bugtraq_id(
    30633,
    32608,
    32620,
    32892
  );

  script_name(english:"Sun Java JRE Multiple Vulnerabilities (244986 et al)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains a runtime environment that is
affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Sun Java Runtime Environment (JRE) installed on the
remote host is earlier than 6 Update 11 / 5.0 Update 17 / 1.4.2_19 /
1.3.1_24.  Such versions are potentially affected by the following
security issues :

  - The JRE creates temporary files with insufficiently
    random names. (244986)

  - There are multiple buffer overflow vulnerabilities
    involving the JRE's image processing code, its 
    handling of GIF images, and its font processing.
    (244987)

  - It may be possible for an attacker to bypass security 
    checks due to the manner in which it handles the 
    'non-shortest form' of UTF-8 byte sequences.

  - There are multiple security vulnerabilities in Java 
    Web Start and Java Plug-in that may allow for privilege
    escalation. (244988)

  - The JRE Java Update mechanism does not check the digital
    signature of the JRE that it downloads. (244989)

  - A buffer overflow may allow an untrusted Java 
    application that is launched through the commandline to 
    escalate its privileges. (244990)

  - A vulnerability related to deserializing calendar 
    objects may allow an untrusted applet or application to
    escalate its privileges. (244991)

  - A buffer overflow affects the 'unpack200' JAR unpacking
    utility and may allow an untrusted applet or application
    to escalate its privileges with unpacking applets and 
    Java Web Start applications. (244992)

  - The UTF-8 decoder accepts encodings longer than the 
    'shortest' form. Although not a vulnerability per se, 
    it may be leveraged to exploit software that relies on 
    the JRE UTF-8 decoder to reject the 'non-shortest form'
    sequence. (245246)

  - An untrusted applet or application may be able to list
    the contents of the home directory of the user running 
    the applet or application. (246266)

  - A denial of service vulnerability may be triggered when
    the JRE handles certain RSA public keys. (246286)

  - A vulnerability may be triggered while authenticating
    users through Kerberos and lead to a system-wide denial
    of service due to excessive consumption of operating
    system resources. (246346)

  - Security vulnerabilities in the JAX-WS and JAXB packages
    where internal classes can be accessed may allow an 
    untrusted applet or application to escalate privileges. 
    (246366)

  - An untrusted applet or application when parsing zip
    files may be able to read arbitrary memory locations in
    the process that the applet or application is running.
    (246386)

  - The JRE allows code loaded from the local filesystem to
    access localhost. (246387)");
  script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019736.1.html");
  script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019737.1.html");
  script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019738.1.html");
  script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019739.1.html");
  script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019740.1.html");
  script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019741.1.html");
  script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019742.1.html");
  script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019759.1.html");
  script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019793.1.html");
  script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019794.1.html");
  script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019797.1.html");
  script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019798.1.html");
  script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019799.1.html");
  script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019800.1.html");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/technetwork/java/javase/6u11-139394.html");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/technetwork/java/javase/releasenotes-142123.html");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/technetwork/java/javase/releasenotes-138306.html");
  script_set_attribute(attribute:"solution", value:
"Update to Sun Java JDK / JRE 6 Update 11, JDK / JRE 5.0 Update 17, 
SDK / JRE 1.4.2_19, or SDK / JRE 1.3.1_24 or later and 
remove if necessary any affected versions.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"Apache Tomcat File Disclosure");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Sun Java Calendar Deserialization Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");
  script_cwe_id(94, 119, 189, 200, 264, 287);

  script_set_attribute(attribute:"patch_publication_date", value:"2008/12/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2008/12/04");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2008-2022 Tenable Network Security, Inc.");

  script_dependencies("sun_java_jre_installed.nasl");
  script_require_keys("SMB/Java/JRE/Installed");

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");


# Check each installed JRE.
installs = get_kb_list("SMB/Java/JRE/*");
if (isnull(installs)) exit(1, "The 'SMB/Java/JRE/' KB item is missing.");

info = "";
vuln = 0;
installed_versions = "";

foreach install (list_uniq(keys(installs)))
{
  ver = install - "SMB/Java/JRE/";
  if (ver =~ "^[0-9.]+")
    installed_versions = installed_versions + " & " + ver;
  if (
    ver =~ "^1\.6\.0_(0[0-9]|10)([^0-9]|$)" ||
    ver =~ "^1\.5\.0_(0[0-9]|1[0-6])([^0-9]|$)" ||
    ver =~ "^1\.4\.([01]_|2_(0[0-9]|1[0-8]([^0-9]|$)))" ||
    ver =~ "^1\.3\.(0_|1_([01][0-9]|2[0-3]([^0-9]|$)))"
  )
  {
    dirs = make_list(get_kb_list(install));
    vuln += max_index(dirs);

    foreach dir (dirs)
      info += '\n  Path              : ' + dir;

    info += '\n  Installed version : ' + ver;
    info += '\n  Fixed version     : 1.6.0_11 / 1.5.0_17 / 1.4.2_19 / 1.3.1_24\n';
  }
}


# Report if any were found to be vulnerable.
if (info)
{
  port = get_kb_item("SMB/transport");
  if (!port) port = 445;

  if (report_verbosity > 0)
  {
    if (vuln > 1) s = "s of Java are";
    else s = " of Java is";

    report =
      '\n' +
      'The following vulnerable instance'+s+' installed on the\n' +
      'remote host :\n' +
      info;
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
  exit(0);
}
else
{
  installed_versions = substr(installed_versions, 3);
  if (" & " >< installed_versions)
    exit(0, "The Java "+installed_versions+" installs on the remote host are not affected.");
  else
    exit(0, "The Java "+installed_versions+" install on the remote host is not affected.");
}

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/sun_java_jre_244986.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\sun_java_jre_244986.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/sun_java_jre_244986.nasl

Go back to menu.

How to Run

---

Here is how to run the Sun Java JRE Multiple Vulnerabilities (244986 et al) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select Windows plugin family.
6. On the right side table select Sun Java JRE Multiple Vulnerabilities (244986 et al) plugin ID 35030.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl sun_java_jre_244986.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a sun_java_jre_244986.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - sun_java_jre_244986.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state sun_java_jre_244986.nasl -t <IP/HOST>

Go back to menu.

References

---

BID | SecurityFocus Bugtraq ID:

• 30633, 32608, 32620, 32892

CWE | Common Weakness Enumeration:

• CWE-94 (Weakness) Improper Control of Generation of Code ('Code Injection')
• CWE-119 (Weakness) Improper Restriction of Operations within the Bounds of a Memory Buffer
• CWE-189 (Category) Numeric Errors
• CWE-200 (Weakness) Exposure of Sensitive Information to an Unauthorized Actor
• CWE-264 (Category) Permissions, Privileges, and Access Controls
• CWE-287 (Weakness) Improper Authentication

See also:

• https://www.tenable.com/plugins/nessus/35030
• https://download.oracle.com/sunalerts/1019736.1.html
• https://download.oracle.com/sunalerts/1019737.1.html
• https://download.oracle.com/sunalerts/1019738.1.html
• https://download.oracle.com/sunalerts/1019739.1.html
• https://download.oracle.com/sunalerts/1019740.1.html
• https://download.oracle.com/sunalerts/1019741.1.html
• https://download.oracle.com/sunalerts/1019742.1.html
• https://download.oracle.com/sunalerts/1019759.1.html
• https://download.oracle.com/sunalerts/1019793.1.html
• https://download.oracle.com/sunalerts/1019794.1.html
• https://download.oracle.com/sunalerts/1019797.1.html
• https://download.oracle.com/sunalerts/1019798.1.html
• https://download.oracle.com/sunalerts/1019799.1.html
• https://download.oracle.com/sunalerts/1019800.1.html
• https://www.oracle.com/technetwork/java/javase/6u11-139394.html
• https://www.oracle.com/technetwork/java/javase/releasenotes-138306.html
• https://www.oracle.com/technetwork/java/javase/releasenotes-142123.html
• https://vulners.com/nessus/SUN_JAVA_JRE_244986.NASL

Similar and related Nessus plugins:

• 35046 - Fedora 9 : java-1.6.0-openjdk-1.6.0.0-0.20.b09.fc9 (2008-10860)
• 37147 - Fedora 10 : java-1.6.0-openjdk-1.6.0.0-7.b12.fc10 (2008-10913)
• 42834 - GLSA-200911-02 : Sun JDK/JRE: Multiple vulnerabilities
• 43142 - HP-UX PHSS_40374 : s700_800 11.X OV NNM7.53 PA-RISC Intermediate Patch 25
• 43143 - HP-UX PHSS_40375 : s700_800 11.X OV NNM7.53 IA-64 Intermediate Patch 25
• 39435 - Mac OS X : Java for Mac OS X 10.5 Update 4
• 39766 - Mac OS X : Java for Mac OS X 10.4 Release 9
• 40731 - RHEL 4 / 5 : java-1.6.0-sun (RHSA-2008:1018)
• 40732 - RHEL 4 / 5 : java-1.5.0-sun (RHSA-2008:1025)
• 40737 - RHEL 4 / 5 : java-1.6.0-ibm (RHSA-2009:0015)
• 40738 - RHEL 4 / 5 : java-1.5.0-ibm (RHSA-2009:0016)
• 40743 - RHEL 3 / 4 / 5 : java-1.4.2-ibm (RHSA-2009:0445)
• 43843 - RHEL 4 / 5 : java-1.5.0-ibm (RHSA-2009:0466)
• 53539 - RHEL 4 : Sun Java Runtime in Satellite Server (RHSA-2009:1662)
• 64828 - Sun Java JRE Multiple Vulnerabilities (244986 et al) (Unix)
• 39997 - openSUSE Security Update : java-1_5_0-sun (java-1_5_0-sun-375)
• 40002 - openSUSE Security Update : java-1_6_0-sun (java-1_6_0-sun-376)
• 40235 - openSUSE Security Update : java-1_5_0-sun (java-1_5_0-sun-375)
• 40238 - openSUSE Security Update : java-1_6_0-openjdk (java-1_6_0-openjdk-578)
• 40241 - openSUSE Security Update : java-1_6_0-sun (java-1_6_0-sun-376)
• 41404 - SuSE 11 Security Update : IBM Java 1.4.2 (SAT Patch Number 735)
• 41263 - SuSE9 Security Update : Sun Java (YOU Patch Number 12321)
• 41268 - SuSE9 Security Update : IBM Java5 JRE and SDK (YOU Patch Number 12336)
• 41289 - SuSE9 Security Update : IBM Java2 JRE and SDK (YOU Patch Number 12387)
• 41525 - SuSE 10 Security Update : IBM Java 1.4.2 (ZYPP Patch Number 6136)
• 41526 - SuSE 10 Security Update : Sun Java 1.4.2 (ZYPP Patch Number 5852)
• 41527 - SuSE 10 Security Update : IBM Java 1.5.0 (ZYPP Patch Number 5960)
• 35305 - openSUSE 10 Security Update : java-1_5_0-sun (java-1_5_0-sun-5875)
• 35306 - openSUSE 10 Security Update : java-1_6_0-sun (java-1_6_0-sun-5876)
• 37381 - Ubuntu 8.10 : OpenJDK vulnerabilities (USN-713-1)
• 42179 - VMSA-2009-0014 : VMware ESX patches for DHCP, Service Console kernel, and JRE resolve multiple security issues
• 89116 - VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0014) (remote check)

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file sun_java_jre_244986.nasl version 1.34. For more plugins, visit the Nessus Plugin Library.

Go back to menu.