CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
96.3%
The remote host is using a vulnerable version of Sun Java Runtime Plug-in, a web browser addon used to display Java applets. Two security issues have been reported in the remote version of this product :
An untrusted applet may escalate its privileges in order to read, write or execute files on the remote system.
An untrusted applet may interfere with trusted applets loaded on the same page.
A remote attacker could exploit this by tricking a user into visiting a maliciously crafted web page.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(16226);
script_version("1.27");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2004-1029");
script_bugtraq_id(11726, 11766, 12317);
script_xref(name:"SECUNIA", value:"13271");
script_name(english:"Sun Java JRE Plug-in Capability Arbitrary Package Access");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an application that is affected by
a security bypass vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote host is using a vulnerable version of Sun Java Runtime
Plug-in, a web browser addon used to display Java applets. Two
security issues have been reported in the remote version of this
product :
- An untrusted applet may escalate its privileges in
order to read, write or execute files on the remote system.
- An untrusted applet may interfere with trusted applets
loaded on the same page.
A remote attacker could exploit this by tricking a user into
visiting a maliciously crafted web page.");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2004/Nov/1059");
# https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=158
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0d0f6ddb");
# http://web.archive.org/web/20080509045543/http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1e3d3f10");
script_set_attribute(attribute:"solution", value:
"Upgrade to JDK 1.3.1_13 / JRE 1.4.2_06 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(264);
script_set_attribute(attribute:"vuln_publication_date", value:"2004/11/22");
script_set_attribute(attribute:"patch_publication_date", value:"2004/11/22");
script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/22");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2005-2022 Tenable Network Security, Inc.");
script_dependencies("sun_java_jre_installed.nasl");
script_require_keys("SMB/Java/JRE/Installed");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
# Check each installed JRE.
installs = get_kb_list("SMB/Java/JRE/*");
if (isnull(installs)) exit(0);
info = "";
vuln = 0;
foreach install (list_uniq(keys(installs)))
{
ver = install - "SMB/Java/JRE/";
if (ver =~ "^1\.(3\.(0.*|1[^_].*|1_[0-9][^0-9].*|1_1[0-2].*)|4\.([0-1]\..*|2_0[0-5].*))")
{
dirs = make_list(get_kb_list(install));
vuln += max_index(dirs);
foreach dir (dirs)
info += '\n Path : ' + dir;
info += '\n Installed version : ' + ver;
info += '\n Fixed version : 1.3.1_13 / 1.4.2_06\n';
}
}
# Report if any were found to be vulnerable.
if (info)
{
if (report_verbosity)
{
if (vuln > 1) s = "s of Sun's JRE are";
else s = " of Sun's JRE is";
report = string(
"\n",
"The following vulnerable instance", s, " installed on the\n",
"remote host :\n",
info
);
security_hole(port:get_kb_item("SMB/transport"), extra:report);
}
else security_hole(get_kb_item("SMB/transport"));
}