Oracle Java SE/JRE up to 7 Update 6 SunToolkit rt.jar setAccessible privileges management

CVSS Meta Temp Score
CVSS is a standardized scoring system to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The unique Meta Score calculates the average score of different sources to provide a normalized scoring system.
Current Exploit Price (≈)
Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The range indicates the observed or calculated exploit price to be seen on exploit markets. A good indicator to understand the monetary effort required for and the popularity of an attack.
CTI Interest Score
Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. A high score indicates an elevated risk to be targeted for this vulnerability.
9.4$0-$5k0.00

A vulnerability, which was classified as very critical, has been found in Oracle Java SE and JRE up to 7 Update 6 (Programming Language Software). Affected by this issue is the function setAccessible of the file rt.jar of the component SunToolkit. The manipulation with an unknown input leads to a privilege escalation vulnerability. Using CWE to declare the problem leads to CWE-269. The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.

The bug was discovered 08/27/2012. The weakness was shared 08/10/2012 by Mark Wuergler (@MarkWuergler) with Immunity, Inc. as confirmed tweet (Twitter). The advisory is available at twitter.com. The vendor was not involved in the coordination of the public release. The company FireEye published a blog post with the title "Zero-Day Season is not over yet". It starts with the words: "New Java zero-day vulnerability has been spotted in the wild. We have seen this unpatched exploit being used in limited targeted attacks." This vulnerability is handled as CVE-2012-4681 since 08/27/2012. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details as well as a public exploit are known. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment (estimation calculated on 07/30/2019). This vulnerability is assigned to T1068 by the MITRE ATT&CK project. This vulnerability has a historic impact due to its background and reception. This vulnerability affects Java 7 (1.7) Update 0 to 6. It does not affect Java 6 and below.

A public exploit has been developed by metasploit (jduck) in Java and been published 3 weeks after the advisory. It is declared as highly functional. The exploit is available at pastie.org. The vulnerability was handled as a non-public zero-day exploit for at least 130 days. During that time the estimated underground price was around $100k and more. A worm is spreading, which is automatically exploiting this vulnerability. The vulnerability scanner Nessus provides a plugin with the ID 61740 (FreeBSD : Java 1.7 -- security manager bypass (16846d1e-f1de-11e1-8bd8-0022156e8794)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family FreeBSD Local Security Checks and running in the context local. The commercial vulnerability scanner Qualys is able to test this issue with plugin 185011 (HP-UX Running Java Remote Code Execution Vulnerability (HPSBUX02824)). Mark Wuergler tweets on his account: "VulnDisco SA CANVAS exploit pack has a new Java 0-day. It has been tested on Windows 7 with IE, Opera and Firefox." In a conversation with the Blackhole author Krebs was told that exploits like this could go for $100,000 on the black market. That shows how effective attacks using this type of vulnerability can be. According to security researchers from security firm Immunity, the Java exploit published online earlier this week and integrated into the Blackhole attack toolkit makes use of two Java vulnerabilities not one, as it was previously believed. (https://www.virustotal.com/file/09d10ae0f763e91982e1c276aad0b26a575840ad986b8f53553a4ea0a948200f/analysis/)

Upgrading to version 7 Update 7 eliminates this vulnerability. The upgrade is hosted for download at java.com. Applying a patch is able to eliminate this problem. The bugfix is ready for download at deependresearch.org. The problem might be mitigated by replacing the product with Microsoft Silverlight or Adobe Flash as an alternative. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published 3 weeks after the disclosure of the vulnerability. DeepEnd Research has been in contact with Michael Schierl (a Java expert who discovered a number of Java vulnerabilities). They asked him to have a look at this last exploit and he sent his detailed analysis, which we will publish in the nearest future and a patch, which they offer on a per request basis. Attack attempts may be identified with Snort ID 21438. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 12544.

The vulnerability is also documented in the databases at X-Force (77972), SecurityTracker (ID 1027447), Vulnerability Center (SBV-36004), Tenable (61740) and Exploit-DB (20865). nakedsecurity.sophos.com is providing further details. The entries 6030, 6031 and 6032 are related to this item.

Productinfo

Type

Vendor

Name

CPE 2.3info

CPE 2.2info

Screenshot

Video

CVSSv3info

VulDB Meta Base Score: 9.8
VulDB Meta Temp Score: 9.4

VulDB Base Score: 9.8
VulDB Temp Score: 9.4
VulDB Vector: 🔍
VulDB Reliability: 🔍

CVSSv2info

AVACAuCIA
🔍🔍🔍🔍🔍🔍
🔍🔍🔍🔍🔍🔍
🔍🔍🔍🔍🔍🔍
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
unlockunlockunlockunlockunlockunlock
unlockunlockunlockunlockunlockunlock
unlockunlockunlockunlockunlockunlock

VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍

NVD Base Score: 🔍

Exploitinginfo

Class: Privilege escalation
CWE: CWE-269
ATT&CK: T1068

Local: No
Remote: Yes

Availability: 🔍
Access: Public
Status: Highly functional
Author: metasploit (jduck)
Wormified: 🔍
Reliability: 🔍
Programming Language: 🔍
Download: 🔍

EPSS Score: 🔍
EPSS Percentile: 🔍

Price Prediction: 🔍
Current Price Estimation: 🔍

0-Dayunlockunlockunlockunlock
Todayunlockunlockunlockunlock

Nessus ID: 61740
Nessus Name: FreeBSD : Java 1.7 -- security manager bypass (16846d1e-f1de-11e1-8bd8-0022156e8794)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Nessus Port: 🔍

OpenVAS ID: 71831
OpenVAS Name: FreeBSD Ports: openjdk
OpenVAS File: 🔍
OpenVAS Family: 🔍

Saint ID: exploit_info/oracle_java_findclass_findmethod_security_bypass
Saint Name: Oracle Java findMethod findClass Security Bypass

Qualys ID: 🔍
Qualys Name: 🔍

MetaSploit ID: java_jre17_exec.rb
MetaSploit Name: Java 7 Applet Remote Code Execution
MetaSploit File: 🔍

Exploit-DB: 🔍

Threat Intelligenceinfo

Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍

Countermeasuresinfo

Recommended: Upgrade
Status: 🔍

Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍

Upgrade: Java SE/JRE 7 Update 7
Patch: deependresearch.org
Alternative: Microsoft Silverlight/Adobe Flash

Snort ID: 21438
Snort Message: EXPLOIT-KIT Blackhole exploit kit JavaScript carat string splitting with hostile applet
Snort Class: 🔍
TippingPoint: 🔍

McAfee IPS: 🔍
McAfee IPS Version: 🔍

ISS Proventia IPS: 🔍
PaloAlto IPS: 🔍
Fortigate IPS: 🔍

Timelineinfo

04/02/2012 🔍
08/10/2012 +130 days 🔍
08/27/2012 +17 days 🔍
08/27/2012 +0 days 🔍
08/27/2012 +0 days 🔍
08/27/2012 +0 days 🔍
08/27/2012 +0 days 🔍
08/27/2012 +0 days 🔍
08/27/2012 +0 days 🔍
08/28/2012 +1 days 🔍
08/28/2012 +0 days 🔍
08/28/2012 +0 days 🔍
08/29/2012 +1 days 🔍
08/30/2012 +1 days 🔍
08/31/2012 +1 days 🔍
07/30/2019 +2524 days 🔍

Sourcesinfo

Vendor: oracle.com

Advisory: twitter.com
Researcher: Mark Wuergler (@MarkWuergler)
Organization: Immunity, Inc.
Status: Confirmed
Confirmation: 🔍

CVE: CVE-2012-4681 (🔍)
OVAL: 🔍

X-Force: 77972 - Oracle Java Runtime Environment sandbox code execution, High Risk
SecurityTracker: 1027447
Vulnerability Center: 36004 - Oracle Java 7 Update 6 Remote Code Execution via a Crafted Applet, Critical
SecurityFocus: 55213 - Oracle Java Runtime Environment Remote Code Execution Vulnerability
Secunia: 50133
OSVDB: 84867 - CVE-2012-4681 - Oracle - Java SE - Multiple Unspecified Issues

scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
See also: 🔍

Entryinfo

Created: 08/28/2012 10:34 AM
Updated: 07/30/2019 08:30 PM
Changes: (4) vulnerability_discoverydate source_osvdb_title source_mcafee_ips_id source_mcafee_ips_version
Complete: 🔍

Comments

No comments yet. Languages: en.

Please log in to comment.

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!