Security vulnerabilities in Java SE, PoC codes

[Nytro]

Security vulnerabilities in Java SE, PoC codes

/*## (c) SECURITY EXPLORATIONS    2012 poland                                #*/
/*##     http://www.security-explorations.com                                #*/

/* RESEARCH MATERIAL:    SE-2012-01                                            */
/*            [Security vulnerabilities in Java SE, PoC codes]      */

This package contains Proof of Concept codes illustrating security weaknesses
discovered during SE-2012-01 security research project. Impact characteristics
of the included codes is presented below:

- PoC for Issue 1
    complete Java security sandbox bypass

- PoC for Issue 2
    complete Java security sandbox bypass

- PoC for Issue 3
    complete Java security sandbox bypass

- PoC for Issue 4
    complete Java security sandbox bypass

- PoC for Issue 5
    complete Java security sandbox bypass

- PoC for Issue 6
    complete Java security sandbox bypass

- PoC for Issue 7
    complete Java security sandbox bypass

- PoC for Issues 8 and 16
    complete Java security sandbox bypass

- PoC for Issues 11 and 19
    complete Java security sandbox bypass

- PoC for Issues 12 and 13
    complete Java security sandbox bypass

- PoC for Issue 14
    JVM properties access

- PoC for Issue 15
    newInstance of arbitrary class in a doPrivileged block

- PoC for Issues 20 and 21
    complete Java security sandbox bypass

- PoC for Issue 20
    complete Java security sandbox bypass

- PoC for Issues 15 and 22
    complete Java security sandbox bypass

- PoC for Issues 8 and 23
    JVM properties access, file read access

- PoC for Issue 26
    complete Java security sandbox bypass

- PoC for Issue 30
    JVM properties access

- PoC for Issue 31
    newInstance of arbitrary class in a doPrivileged block

- PoC for Issues 1 and 32
    complete Java security sandbox bypass

- PoC for Issue 32
    complete Java security sandbox bypass

- PoC for Issue 33
    complete Java security sandbox bypass

- PoC for Issue 34
    complete Java security sandbox bypass

- PoC for Issue 35
    complete Java security sandbox bypass

- PoC for Issue 36
    complete Java security sandbox bypass

- PoC for Issue 37
    complete Java security sandbox bypass

- PoC for Issues 38 and 39
    complete Java security sandbox bypass

- PoC for Issues 40, 41 and 42
    complete Java security sandbox bypass

- PoC for Issues 43, 44 and 45
    complete Java security sandbox bypass

- PoC for Issues 46, 47 and 48
    complete Java security sandbox bypass

- PoC for Issue 49
    complete Java security sandbox bypass

It is the best to start the analysis / tests of Oracle codes with the following
versions of Java SE:
    JRE/JDK 7 (version 1.7.0-b147)
    JRE/JDK 7u1 (version 1.7.0_01-b08)
    JRE/JDK 7u2 (version 1.7.0_02-b13)
    JRE/JDK 7u3 (version 1.7.0_03-b05)
    JRE/JDK 7u4 (version 1.7.0_04-ea-b18, early access release from 29 Mar 2012)

These are the versions that were vulnerable to all of security issues originally
reported to the company in Apr 2012. Consecutive releases of Oracle's Java SE
software from Jun, Aug and Oct 2012 addressed most of the issues (29 out of 31
as of Nov 17, 2012).

Download:

http://www.security-explorations.com/materials/se-2012-01-codes.zip

Alte documente: http://www.security-explorations.com/materials/