The SSL protocol, as used in Oracle Java, encrypts data by using CBC mode with chained initialization vectors. This weakness allows to decrypt HTTP headers by a chosen plain text attack, thus obtaining browser cookies from the target system's browser corresponding to a given HTTPS server. The cookies could then be used by the user to do a session hijacking attack. This module launches the attack against target systems. This systems must be running a browser with the vulnerable Java version for this exploit to work. This module is capable or retrieving the cookies stored in the browser for a specified target domain. The attack begins with an ARP spoofing attack. If this attack is successful, HTTP traffic from the target system will be intercepted and modified. An HTTP response will be modified so the target's browser loads a Java applet. This applet then is used to launch the chosen plain text attack. For this exploit to work, the cipher suite used by the SSL connection between the target system and the target domain must use the CBC mode. This module only works when the target domain server isn't on the same local network as the target system. This exploit wasn't tested on target domains that resolve to more than one IP address. This module doesn't work when the target domain host is accessed by the target system through a proxy, or if the target domain server closes the SSL connections after every request. Note: The ARP attack will send packets with spoofed MAC addresses. The MAC address prefix can be controlled with a parameter. This value should be changed when the module is run against more than one target at the same time.
CVE Link
Product Name