[SE-2012-01] Broken security fix in Oracle Java SE 7/8/9

From: Security Explorations <contact@security-explorations.com>
To: bugtraq@securityfocus.com,fulldisclosure@seclists.org
Subject: [SE-2012-01] Broken security fix in Oracle Java SE 7/8/9

Hello All,

On Mar 07, 2016 Security Explorations modified its Disclosure Policy [1].
As a result, we do not tolerate broken fixes any more. If an instance
of a broken fix for a vulnerability we already reported to the vendor
is encountered, it gets disclosed by us without any prior notice.

The vendor that gets the questionable honor to be the first to experience
our modified Disclosure Policy is Oracle.

Yesterday, during my JavaLand talk [2], while discussing the problems
related to Java platform security, its ecosystem and vendors I disclosed
general information about a broken Oracle Java SE fix from Sep 2013:


This was the fix for the last vulnerability we reported to the company
as part of our Java SE security research (Issue 69 [3]). This weakness
made it possible to implement a very classic attack against JVM (class
spoofing attack).

According to Oracle, the vulnerability was addressed by a backported
(from JDK 8) implementation of the affected component (method handles
API) in JDK 7 Update 40 from Sep 2013.

We however found out that Oracle patch could be trivially bypassed with
the use of the following:
- four character change to our original POC code published in Oct 2013,
- a custom HTTP server enforcing "404 (Not Found)" error when requesting
   a given class for the first time.

Full technical details of Oracle fix bypass can be found in our technical


Along with the report, we have also published a Proof of Concept code to
illustrate the broken fix:


The POC was successfully verified in the environment of Java SE 7 Update
97, Java SE 8 Update 74 and Java SE 9 Early Access Build 108. A complete
Java security escape could be achieved with it.

Please, note that the published material neither constitutes the bypass
of Java security levels, nor its Click2Play functionality. It's a mere
Java security sandbox escape.

At the end, it's worth to note that beside breaking a fix for Issue 69
(CVE-2013-5838), Oracle also improperly evaluated its impact. Oracle
Critical Patch Update from Oct 2013 indicated that Issue 69 could "be
exploited only through sandboxed Java Web Start applications and sandboxed
Java applets". This is not true. We verified that it could be successfully
exploited in a server environment as well such as Google App Engine for
Java [4].

Thank you.

Best Regards,
Adam Gowdiak

Security Explorations
"We bring security research to the new level"

[1] Disclosure Policy
[2] JavaLand conference, "Java (in)security" talk
[3] SE-2012-01-ORACLE-13, Issue 69
[4] SE-2014-02, Issue21 (POC23)

Copyright © 1995-2018 LinuxRocket.net. All rights reserved.