Friday, January 11, 2013

Java continues to wow and amaze

Each set of new Java vulnerabilities is a work of art, and we analyze them in great depth for you in this new white paper by Esteban.

https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf

We'll see if we can "bloggify" that white paper for reading by the cadre of people who don't want to load any PDF's but are comfortable running arbitrary HTML code on Monday. :>

2 comments:

mihi said...

For the record: Trying your code example for the MBeanInstantiator vulnerability on JDK6u19 does not work since apparently the interceptors flag is ignored in JmxMBeanServer constructor. Did not test any other old JDK6 versions yet as I don't have any installed :)

mihi said...

Another thing: I disagree that the getCallerClass code should take the new reflection into account, since in normal cases the stack trace will be patched up (i. e. those stack frames removed) so that it looks as if the method has been called directly (you can test this for example by using invoke() instead of invokeWithArgumets()). Apparently some places are not handled correctly, but it suffices to add the Lookup.find methods to MethodHandleNatives#isCallerSensitive to avoid this issue. See also http://schierlm.users.sourceforge.net/CVE-2013-0422.html for an inofficial "patch".