Lucene search

K
zdiBen MurphyZDI-13-040
HistoryMar 22, 2013 - 12:00 a.m.

Oracle Java Proxy.newProxyInstance Security Manager Bypass Remote Code Execution Vulnerability

2013-03-2200:00:00
Ben Murphy
www.zerodayinitiative.com
16

EPSS

0.043

Percentile

92.3%

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or run a malicious file. The specific bypass of security permissions is possible via invocation of Proxy.newProxyInstance. It is possible to run user callbacks that don’t have higher privileges as privileged. This allows a malicious applet to execute attacker-supplied code resulting in remote code execution under the context of the current user.