10
CVSSv2

CVE-2012-4681

Published: 28/08/2012 Updated: 05/08/2017
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote malicious users to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.

Vulnerability Trend

Affected Products

Vendor Product Versions
OracleJdk1.4.2 38, 1.5.0, 1.6.0, 1.7.0
OracleJre1.4.2 38, 1.5.0, 1.6.0, 1.7.0
SunJdk1.4.2, 1.4.2 1, 1.4.2 2, 1.4.2 3, 1.4.2 4, 1.4.2 5, 1.4.2 6, 1.4.2 7, 1.4.2 8, 1.4.2 9, 1.4.2 10, 1.4.2 11, 1.4.2 12, 1.4.2 13, 1.4.2 14, 1.4.2 15, 1.4.2 16, 1.4.2 17, 1.4.2 18, 1.4.2 19, 1.4.2 22, 1.4.2 23, 1.4.2 25, 1.4.2 26, 1.4.2 27, 1.4.2 28, 1.4.2 29, 1.4.2 30, 1.4.2 31, 1.4.2 32, 1.4.2 33, 1.4.2 34, 1.4.2 35, 1.4.2 36, 1.4.2 37, 1.5.0, 1.6.0, 1.6.0.200, 1.6.0.210
SunJre1.4.2 1, 1.4.2 2, 1.4.2 3, 1.4.2 4, 1.4.2 5, 1.4.2 6, 1.4.2 7, 1.4.2 8, 1.4.2 9, 1.4.2 10, 1.4.2 11, 1.4.2 12, 1.4.2 13, 1.4.2 14, 1.4.2 15, 1.4.2 16, 1.4.2 17, 1.4.2 18, 1.4.2 19, 1.4.2 20, 1.4.2 21, 1.4.2 22, 1.4.2 23, 1.4.2 24, 1.4.2 25, 1.4.2 26, 1.4.2 27, 1.4.2 28, 1.4.2 29, 1.4.2 30, 1.4.2 31, 1.4.2 32, 1.4.2 33, 1.4.2 34, 1.4.2 35, 1.4.2 36, 1.4.2 37, 1.5.0, 1.6.0

Vendor Advisories

Synopsis Important: java-170-openjdk security update Type/Severity Security Advisory: Important Topic Updated java-170-openjdk packages that fix several security issues arenow available for Red Hat Enterprise Linux 6The Red Hat Security Response Team has rated this update as havingimportant security im ...
Synopsis Critical: java-170-oracle security update Type/Severity Security Advisory: Critical Topic Updated java-170-oracle packages that fix several security issues are nowavailable for Red Hat Enterprise Linux 6 SupplementaryThe Red Hat Security Response Team has rated this update as having criticalse ...
Synopsis Critical: java-160-openjdk security update Type/Severity Security Advisory: Critical Topic Updated java-160-openjdk packages that fix two security issues are nowavailable for Red Hat Enterprise Linux 6The Red Hat Security Response Team has rated this update as having criticalsecurity impact C ...
Synopsis Important: java-160-openjdk security update Type/Severity Security Advisory: Important Topic Updated java-160-openjdk packages that fix two security issues are nowavailable for Red Hat Enterprise Linux 5The Red Hat Security Response Team has rated this update as havingimportant security impact ...
Synopsis Critical: java-170-ibm security update Type/Severity Security Advisory: Critical Topic Updated java-170-ibm packages that fix several security issues are nowavailable for Red Hat Enterprise Linux 6 SupplementaryThe Red Hat Security Response Team has rated this update as having criticalsecurity ...
Synopsis Critical: java-160-sun security update Type/Severity Security Advisory: Critical Topic Updated java-160-sun packages that fix several security issues are nowavailable for Red Hat Enterprise Linux 5 and 6 SupplementaryThe Red Hat Security Response Team has rated this update as having criticalse ...

Exploits

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # web site for more information on licensing and terms of use # metasploitcom/ ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking includ ...

Metasploit Modules

Java 7 Applet Remote Code Execution

The exploit takes advantage of two issues in JDK 7: The ClassFinder and MethodFinder.findMethod(). Both were newly introduced in JDK 7. ClassFinder is a replacement for classForName back in JDK 6. It allows untrusted code to obtain a reference and have access to a restricted package in JDK 7, which can be used to abuse sun.awt.SunToolkit (a restricted package). With sun.awt.SunToolkit, we can actually invoke getField() by abusing findMethod() in Statement.invokeInternal() (but getField() must be public, and that's not always the case in JDK 6) in order to access Statement.acc's private field, modify AccessControlContext, and then disable Security Manager. Once Security Manager is disabled, we can execute arbitrary Java code. Our exploit has been tested successfully against multiple platforms, including: IE, Firefox, Safari, Chrome; Windows, Ubuntu, OS X, Solaris, etc.

msf > use exploit/multi/browser/java_jre17_exec
      msf exploit(java_jre17_exec) > show targets
            ...targets...
      msf exploit(java_jre17_exec) > set TARGET <target-id>
      msf exploit(java_jre17_exec) > show options
            ...show and set options...
      msf exploit(java_jre17_exec) > exploit

Github Repositories

PoCs-CVE_2012_4681 A Simple PoC for CVE-2012-4681

Experts in network security monitoring and network forensics NETRESEC | Products | Training | Resources | Blog | About Netresec | NETRESEC &gt; Resources &gt; PCAP Files Publicly available PCAP files This is a list of public packet capture repositories, which are freely available on the Internet Most of the sites listed below share Full Packet Capture (FPC) files, but

CVE-2012-4681-Armoring Overview A manual antivirus evasion armoring experiment for CVE-2012-4681 inspired by security-obscurityblogspotcom/2012/11/java-exploit-code-obfuscation-andhtml Base Exploit: pastieorg/4594319 Results as of 9/26/2014 and 8/2/2016 Sample Notes 2014 Score (positive detections) 2016 Score (postive detections) Original Sample http:/

githubcom/LiamRandall/BroExchange2013-Malware ================================ Bro Exchange 2013 Malware Analysis Bro is an incredibly flexible platform that offers incident responders a wide variety of detection mechanisms coupled with a powerful domain specific language In this session we will examine common exploit kits and implement a variety of signature and heur

Exploits Exploits and proof-of-concept code from the team at Hacker House Filename Description AirWatchMDMJailbreakBypasstxt Bypass jailbreak detection on mobile device management AirWatch for IOS AIX-0daystxt AIX 42 local root vulnerabilities amanda-amstartxt Advanced Maryland Automatic Network Disk Archiver local root privilege escalation exploit amanda-back

Recent Articles

Investigation Report for the September 2014 Equation malware detection incident in the US
Securelist • Kaspersky Lab • 16 Nov 2017

In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were tr...

The Epic Turla Operation
Securelist • GReAT • 07 Aug 2014

Technical Appendix with IOCs
Over the last 10 months, Kaspersky Lab researchers have analyzed a massive cyber-espionage operation which we call “Epic Turla”. The attackers behind Epic Turla have infected several hundred computers in more than 45 countries, including government institutions, embassies, military, education, research and pharmaceutical companies.
The attacks are known to have used at least two zero-day exploits:
We also observed exploits against older (p...

Java under attack – the evolution of exploits in 2012-2013
Securelist • Kaspersky Lab • 30 Oct 2013

One of the biggest problems facing the IT security industry is the use of vulnerabilities in legitimate software to launch malware attacks. Malicious programs can use these vulnerabilities to infect a computer without attracting the attention of the user – and, in some cases, without triggering an alert from security software.
That’s why cyber criminals prefer these attacks, known as exploits, over other infection methods. Unlike social engineering, which can be hit or miss, the use of...

Central Tibetan Administration Website Compromised
Securelist • Kurt Baumgartner • 12 Aug 2013

A snippet of code on the Central Tibetan Administration website redirects CN speaking visitors to a Java exploit that drops an APT-related backdoor. For some context, the site claims the administration itself as “…the Central Tibetan Administration (CTA) of His Holiness the Dalai Lama, this is the continuation of the government of independent Tibet.” The selection of placement for the malicious code is fairly extraordinary, so let’s dive in.

The attack itself is precisely ta...

Report: Malvertising Campaign Thrives on Dynamic DNS
Threatpost • Chris Brook • 11 Feb 2013

A malvertising campaign that’s lasted almost half a year is staying alive thanks to infected web advertisements being circulated by otherwise clean ad networks.
The campaign, now in its fifth month, relies on the Dynamic Domain Name System (DDNS) to keep it from being caught according to a report from Symantec’s Security Response blog that likens its relationship to a “never-ending story.”
Attackers have been leveraging the ads by inserting their own obfuscated J...

Bots, Zeus, Web Exploits: the Most Potent Threats of 2012
Threatpost • Brian Donohue • 07 Feb 2013

Every year it seems that security-related news advances further from its roots in national security circles, IT departments, and the antivirus industry into the mainstream consciousness. From July to the end of year was no exception. However, despite a handful of flashy security stories, F-Secure claims that the second half of 2012 was really about things that rarely (if ever) come up in local and national news: botnets, ZeroAccess in particular, Java and other Web exploits, and the ubiquitous Z...

Nasty New Java Zero Day Found; Exploit Kits Already Have It
Threatpost • Michael Mimoso • 10 Jan 2013

UPDATE – Security experts are urging users to disable Java immediately after the discovery of another zero-day exploit that has been incorporated into the Blackhole, Redkit, Cool and Nuclear Pack exploit kits.
According to a French researcher who uses the handle Kafeine, the exploits target the latest version of the Java platform, Java 1.7 Update 10. Jaime Blasco, manager at AlienVault Labs, said his team was able to reproduce the exploit on a fully patched Java install.

Kaspersky Security Bulletin 2012. Malware Evolution
Securelist • David Emm Costin Raiu • 05 Dec 2012

This is Kaspersky Lab’s annual threat analysis report covering the major issues faced by corporate and individual users alike as a result of malware, potentially harmful programs, crimeware, spam, phishing and other different types of hacker activity.
The report has been prepared by the Global Research & Analysis Team (GReAT) in conjunction with Kaspersky Lab’s Content & Cloud Technology Research and Anti-Malware Research divisions.
At the end of last year we published ...

Dockster Mac Malware Targets Dalai Lama Website Through Flashback Vulnerability
Threatpost • Michael Mimoso • 03 Dec 2012

Mac malware targeting Tibetan supporters is being served on a website connected to the Dalai Lama. The Dockster Trojan, discovered by researchers at F-Secure, exploits the same Java vulnerability as the virulent Flashback Trojan that hit more than 600,000 OS X users earlier this year.
F-Secure researcher Sean Sullivan said current versions of OS X are not vulnerable; users who have disabled the Java browser plug-in are also not vulnerable. Sullivan said Dockster is “a basic b...

IT Threat Evolution: Q3 2012
Securelist • Yury Namestnikov • 01 Nov 2012

During Q3 2012, over 9,000 new malicious .dex files were added to our malware collection. This is 5,000 files fewer than last quarter but 3,500 more than in Q1 2012.
This is due to the fact that in Q2 files that had been detected heuristically for some time were added to our malware collection. (Note that one heuristic is used to detect a large number of different programs.) In Q3, the situation was standard and the number of new files added to our collection was in line with the trend we ...

Apple Java update fails to address mega-flaw – researcher
The Register • John Leyden • 06 Sep 2012

Chocolate coffee-pot

Apple released a Java update on Wednesday but it does not tackle a high-profile flaw that has become the target of attacks over recent weeks.
Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 10 offer patched versions of Java for OS X Lion and Mountain Lion systems that tackle CVE-2012-0547. But this is a different beastie from the CVE-2012-4681 megabug currently stalking Java users, KrebsOnSecurity reports.
Security vulnerabilities in Java are an all-too-real danger for Mac f...

Apple Fixes Flaws, Updates Java 6 for OS X
Threatpost • Chris Brook • 06 Sep 2012

Apple pushed out a Java update for its Snow Leopard, Lion and Mountain Lion systems Wednesday, fixing vulnerabilities Oracle tackled in last week’s emergency CVE-2012-4681 patch. Both Java for Mac OS X 10.6 Update 10 and Java for OS X 2012-005 update the Java SE 6 plugin and, in what might be a sign of Apple’s growing displeasure with the platform, help configure browsers to not automatically run Java applets.

“If no applets have been run for an extended period of...

Newest Java 7 Update Still Exploitable, Researcher Says
Threatpost • Dennis Fisher • 04 Sep 2012

UPDATE–Oracle last week patched the two zero-day vulnerabilities in Java that attackers had been exploiting in targeted attacks, but it didn’t take long for researchers to poke more holes in the software. A new bug that allows a complete Java sandbox escape has been identified already, the latest in what has become a long line of flaws haunting the Java software running on hundreds of millions of machines.
Adam Gowdiak, a researcher at Security Explorations, a Polish firm t...

Oracle Releases Fix For Java CVE-2012-4681 Flaw
Threatpost • Dennis Fisher • 30 Aug 2012

Oracle on Thursday released a new version of Java that included a fix for the CVE-2012-4681 vulnerability that has been used in limited targeted attacks in the last couple of weeks. The release of Java 7 update 7 comes about four days after the Java flaw was publicly disclosed, but several months after researchers say they notified Oracle of the problem.
Oracle didn’t release a security advisory or acknowledge the vulnerability until releasing the new version, along with some...

Use of Java Zero-Day Flaws Tied to Nitro Attack Crew
Threatpost • Dennis Fisher • 30 Aug 2012

Researchers say that one of the attack groups using the two new Java zero-day vulnerabilities is the same group that was behind an earlier targeted attack campaign from 2011. That group was traced back to China and was essentially running a spear-phishing campaign, but now the crew, known as Nitro, is using the Java vulnerabilities in Web-based attacks that install the Poison Ivy remote-access tool.
The attacks have been going on for more than a week, researchers say, and the N...

Super-critical Java zero-day exploits TWO bugs
The Register • John Leyden • 30 Aug 2012

Write Once, Exploit Everywhere

A potent Java security vulnerability that first appeared earlier this week actually leverages two zero-day flaws. The revelation comes as it emerged Oracle knew about the holes as early as April.
Windows, Mac OS X and Linux desktops running multiple browser platforms are all vulnerable to attacks. Exploit code already in circulation first uses a vulnerability to gain access the restricted sun.awt.SunToolkit class before a second bug is used to disable the SecurityManager, and ultimately to...

Java zero day = time to disable Java, in your browser at least
welivesecurity • Stephen Cobb • 29 Aug 2012

Now is the time to disable Java in your web browser, or even remove it from your system if that is practical. Why? The bad guys are hard at work trying to exploit a zero day vulnerability in the latest version of Java (version 1.7, Update 6.). This vulnerability is the subject of a US-CERT Alert (TA12-240A) and ESET researchers have been able to confirm that the Blackhole exploit kit, popular with malware makers, now has the ability to take advantage of the vulnerability.
We hope to publis...

The Current Web-Delivered Java 0day
Securelist • Kurt Baumgartner • 28 Aug 2012

The Java 0day activity that we have been monitoring and preventing for almost the past week has been irresponsibly reported on other blogs, with early posts publicly linking to known sites serving the 0day. In itself, the race to publish on this 0day that will be assigned CVE-2012-4681 (a problem with processing access control within “protection domains”), has been irresponsible. Would you encourage folks to walk down a mugger’s dark alley with no protection or would you work to communicat...