Oracle Java SE Security Manager Bypass Vulnerability Allowing Arbitrary Code Execution

A vulnerability in the Java Runtime Environment (JRE) component of Oracle Java SE 7 Update 6 and earlier versions allows remote attackers to execute arbitrary code. This is achieved by exploiting a crafted applet that bypasses SecurityManager restrictions. The vulnerability arises from the use of 'com.sun.beans.finder.ClassFinder' to access restricted classes from arbitrary packages, such as 'sun.awt.SunToolkit'. The exploit then uses reflection to access and modify private fields, effectively disabling the security manager and allowing unrestricted execution of Java code. This vulnerability was actively exploited in the wild in August 2012.

Impact

Exploitation of this vulnerability allows for remote execution of arbitrary code on the affected system, with the same privileges as the Java plug-in process in the browser.

Reproduction

The vulnerability can be reproduced by crafting a Java applet that uses 'com.sun.beans.finder.ClassFinder' to access restricted classes in the 'sun.*' package. Once access is gained, the exploit can use reflection to modify private fields, such as those controlling permissions, to disable the security manager. This can be done by creating a 'java.beans.Statement' that, when executed, removes the security restrictions, allowing the applet to perform any action permitted by Java.

Remediation

Users are advised to update to Oracle Java SE 7 Update 7, which addresses this vulnerability. Instructions for downloading the update are available on the Oracle website. Users can also disable the Java plug-in in their web browser to protect against this and future vulnerabilities.