Java MBeanInstantiator.findClass and Recursive Reflection Sandbox Escape

2013-01-14T00:00:00
ID SAINT:B859AECDBB7016A3F1E3446FE83018A3
Type saint
Reporter SAINT Corporation
Modified 2013-01-14T00:00:00

Description

Added: 01/14/2013
CVE: CVE-2013-0422
BID: 57246
OSVDB: 89059

Background

Java is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets.

Problem

Two vulnerabilities exist in Java versions prior to 7 Update 11. The first vulnerability allows the findClass method of the MBeanInstantiator class to return a Class reference to any package. However, the MBeanInstantiator class constructor is private, so a reference to an instance object must be found. The newMBeanServer static method will return a JmxMBeanServer instance, which contains a reference to an instance of MBeanInstantiator.
The second vulnerability has to do with security checks performed when calling methods using reflection. The Lookup subclass of the MethodHandlers class performs security validation by calling its checkSecurityManager method. The checkSecurityManager method then attempts to walk the call stack by calling the getCallerClassAtEntryPoint method. This method simply returns the result of the Reflection.getCallerClass method. This method should skip stack frames relating to the Reflection API. However, it does not properly skip Reflection API frames, which may allow the security checks to be bypassed.
The combination of these two vulnerabilities may allow an attacker to execute arbitrary Java code with full privileges on the target system.

Resolution

Upgrade to Java 7 Update 11 or later. This update does not fix the vulnerability, but it does flag all code from unknown sources. Users will be prompted to execute the Java applet, but if they choose to execute the applet, they can still be compromised. Disabling Java browser plug-ins is a more robust solution, but may impact any webapps that use Java applets.

References

<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>
<http://www.cbsnews.com/8301-205_162-57563846/java-7-patch-released-experts-say-may-contain-flaws/>
<http://www.reuters.com/article/2013/01/13/us-java-oracle-security-idUSBRE90C0JB20130113>
<http://www.bbc.co.uk/news/technology-21011669>

Limitations

This exploit has been tested against Oracle JRE 7 Update 10 on Windows XP SP3 English (DEP OptIn), Windows 7 SP1 (DEP OptIn), Mac OS X 10.7.5, and Ubuntu 12.04.1 LTS.

Platforms

Windows
Mac OS X
Linux