Oracle Java Rhino Script Engine Code Execution

Added: 12/02/2011
CVE: CVE-2011-3544
BID: 50218
OSVDB: 76500

Background

Java is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets.
Java includes a version of Javascript called Rhino. In addition to providing basic Javascript functionality, Rhino also allows Java objects to interact with Javascript variables.

Problem

Rhino content is run outside the control of the Java SecurityManager, with its own security layer. A vulnerability exists when a Rhino script defines a toString method for the ‘this’ object, where the method can disable the SecurityManager for the entire applet and run malicious payload. If an error object’s message property is set to this and returned, an attacker can execute arbitrary code on the target system.

Resolution

Upgrade to Oracle JRE 6 Update 28 or later.

References

<http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html&gt;
<http://schierlm.users.sourceforge.net/CVE-2011-3544.html&gt;

Limitations

This exploit has been tested against Oracle JRE 6 Update 27 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn).

Platforms

Windows