CVE-2023-21939 PoC — Oracle Java SE和Oracle GraalVM 安全漏洞

Source

https://github.com/Y4Sec-Team/CVE-2023-21939

Associated Vulnerability

Title:Oracle Java SE和Oracle GraalVM 安全漏洞 (CVE-2023-21939)
Description:Oracle Java SE和Oracle GraalVM都是美国甲骨文（Oracle）公司的产品。Oracle Java SE是一款用于开发和部署桌面、服务器以及嵌入设备和实时环境中的Java应用程序。Oracle GraalVM是一套使用Java语言编写的即时编译器。该产品支持多种编程语言和执行模式。 Oracle Java SE 8u361、8u361-perf、11.0.18、17.0.6、20版本, Oracle GraalVM Enterprise 20.3.9、21.3.5 和 22.3.1

Description

JDK CVE-2023-21939

Readme

## JDK CVE-2023-21939

[文章链接](https://mp.weixin.qq.com/s?__biz=MzkzOTQzOTE1NQ==&mid=2247483750&idx=1&sn=12a793075d0a8713bbfb4341b3591628&chksm=c2f1a43af5862d2cc898be9e4b43b24d24b29173501d3c10d812a8fcb7dd25d858e3095969ea#rd)

This is JDK CVE-2023-21939

Use JDK version lower than 8u371

### JDK + Apache XML Graphics

```xml
<dependency>
    <groupId>org.apache.xmlgraphics</groupId>
    <artifactId>batik-swing</artifactId>
    <version>1.15</version>
</dependency>
```

How to reproduce this RCE:

(1) Run XmlServer.java 

(2) Run JarServer.java

(3) Run JarRCE.java for Test and successfully RCE

Screenshot:

![](imgs/001.png)

### JDK + Apache XML Graphics + Mozilla Rhino

```xml
<dependency>
    <groupId>org.apache.xmlgraphics</groupId>
    <artifactId>batik-swing</artifactId>
    <version>1.15</version>
</dependency>
<dependency>
    <groupId>org.mozilla</groupId>
    <artifactId>rhino</artifactId>
    <version>1.7.10</version>
</dependency>
```

How to reproduce this RCE:

(1) Run XmlServer.java

(2) Run JSRCE.java for Test and successfully RCE

Screenshot:

![](imgs/002.png)

File Snapshot


 [4.0K]  /data/pocs/d59f0107779e203f20d028777b2da24033f22a97
├── [4.0K]  imgs
│   ├── [ 53K]  001.png
│   └── [ 60K]  002.png
├── [1.1K]  pom.xml
├── [1.1K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        ├── [4.0K]  java
        │   ├── [ 766]  Exploit.java
        │   └── [4.0K]  me
        │       └── [4.0K]  n1ar4
        │           ├── [4.0K]  exploit
        │           │   ├── [ 869]  JarRCE.java
        │           │   ├── [ 867]  JSRCE.java
        │           │   └── [ 718]  SerUtil.java
        │           ├── [1.8K]  JarServer.java
        │           ├── [ 649]  Main.java
        │           └── [2.5K]  XmlServer.java
        └── [4.0K]  resources
            └── [1.6K]  exploit.jar

8 directories, 12 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!