CVE-2012-4681: Let's start the week with a new Java 0-day in Metasploit

• Aug 27, 2012
• 1 min read
• Wei Chen

Last updated at Tue, 25 Jul 2017 13:55:46 GMT

On late Sunday night, the Metasploit Exploit team was looking for kicks, and heard the word on the street that someone was passing around a reliable Java 0-day exploit. Big thanks to Joshua J. Drake (jduck), we got our hands on that PoC, and then once again, started our voodoo ritual. Within a couple of hours, we have a working exploit. Download Metasploit here, and apply the latest update to pick up the exploit.

The above example is a successful attack against a fully patched Windows 7 SP1 with Java 7 Update 6. We have also tested the module against the following environments:

• Mozilla Firefox on Ubuntu Linux 10.04
• Internet Explorer / Mozilla Firefox / Chrome on Windows XP
• Internet Explorer / Mozilla Firefox on Windows Vista
• Internet Explorer / Mozilla Firefox on Windows 7
• Safari on OS X 10.7.4

As a user, you should take this problem seriously, because there is currently no patch from Oracle. For now, our recommendation is to completely disable Java until a fix is available. NOTE: A fix is now available (Java 7 Update 7), please patch your system ASAP!

To try out this exploit: Get your free Metasploit download now, or update your existing installation. Meanwhile, we will keep this blog updated when more progress has been made.

—

Aug 28 2012: This vulnerability has been assigned as CVE-2012-4681.

Aug 30 2012: Oracle has released Java 7 Update 7

Wei is a Rapid7 veteran and an all-time top committer for the Metasploit Framework. Now a lead offensive security researcher for Metasploit, he specializes in vuln analysis and exploit development.

View Wei’s Posts