CVE-2010-0094 (RMIConnectionImpl) Exploit Artifacts

Saturday, March 12, 2011 Posted by Corey Harrell
Artifact Name

CVE-2010-0094 (RMIConnectionImpl) Exploit Artifacts

Attack Vector Category



Vulnerability present within the deserialization of RMIConnectionImpl objects affects Oracle Java 6 Update 18 and 5.0 Update 23 and earlier versions on Windows, Solaris and Linux systems. Exploitation allows for the execution of arbitrary code under the context of the currently logged on user.

Attack Description

This description was obtained using the Zero Day Initiative reference and it consists of having a user visit a malicious website.

Exploits Tested

Metasploit v3.6 multi\browser\java_rmi_connection_impl

Target System Information

* Windows XP SP3 Virtual Machine with Java 6 update 16 using administrative user account

* Windows XP SP3 Virtual Machine with Java 6 update 16 using non-administrative user account

Different Artifacts based on Administrator Rights


Different Artifacts based on Software Versions

Not tested

Potential Artifacts

The potential artifacts include the CVE 2010-0094 exploit and the changes the exploit causes in the operating system environment. The artifacts can be grouped under the following three areas:

     * Temporary File Creation
     * Indications of the Vulnerable Application Executing
     * Internet Activity

Note: the documenting of the potential artifacts attempted to identify the overall artifacts associated with the vulnerability being exploited as opposed to the specific artifacts unique to the Metasploit. As a result, the actual artifact storage locations and filenames are inside of brackets in order to distinguish what may be unique to the testing environment.

     * Temporary File Creation

          - JAR file created in a temporary storage location on the system within the timeframe of interest. [C:/Documents and Settings/Administrator/Local Settings/Temp/jar_cache8659615251018636226.tmp. The contents of the JAR file contained a manifest file and other files which were detected as the CVE-2010-0094 exploit. Exploit.class and PayloadClassLoader.class are two of the files detected as containing the exploit.

     * Indications of the Vulnerable Application Executing

          - Log files indicating Java was executed within the timeframe of interest. [C:/Documents and Settings/Administrator/Application Data/Sun/Java/Deployment/, C:/Documents and Settings/Administrator/Local Settings/Temp/java_install_reg.log, and C:/Documents and Settings/Administrator/Local Settings/Temp/jusched.log] The picture below shows the contents of the file.

          - Prefetch files of Java executing. [C:/WINDOWS/Prefetch/]

          - Registry modification involving Java executing. The last write time on the registry key is the same thime that is reflected in the jusched.log file. [HKLM-Admin/Software/JavaSoft/Java Update/Policy/JavaFX. One of the entries in the jusched.log file was "SetDefaultJavaFXUpdateSchedule: Frequency:16, Schedule: 3:52" and this occurred when the registry key was modified]

          - Folder activity involving the Java application. [C:/Program Files/Java/jre6/, C:/Documents and Settings/Administrator/Application Data/Sun/Java/Deployment/cache/, and C:/Documents and Settings/Administrator/Local Settings/Temp/hsperfdata_username]

     * Internet Activity

          - Web browser history of user accessing websites within the timeframe of interest. [Administrator user account accessed the computer - running Metasploit]

          - Files located in the Temporary Internet Files folder. [C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/]

Timeline View of Potential Artifacts

The images below shows the above artifacts in a timeline of the file system from the Windows XP SP3 system with an administrative user account. The timeline includes the filesystem, registry, event logs, and Internet Explorer history entries.


Vulnerability Information

Mitre’s CVE

NIST National Vulnerability Database

Zero Day Initiative

Exploit Information

Metasploit Exploit Information
  1. Kalyan

    Great post Corey! Keep up the good work.

  2. Corey,

    Do you still have the .pf file from this one available?

    Given my most recent post on Prefetch analysis, this one might be interesting to revisit...

Post a Comment