what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Oracle Java SE 7 Issue 69

Oracle Java SE 7 Issue 69
Posted Oct 17, 2013
Authored by Adam Gowdiak | Site security-explorations.com

The CPU released Oct 15, 2013 by Oracle included information about a fix for Java SE 7 vulnerability (Issue 69) that was reported to the company in July.

tags | advisory, java
SHA-256 | 8836a50caf231af0bc2808d25511d8afa12be6798b069187840e5e846e7cbf09

Oracle Java SE 7 Issue 69

Change Mirror Download

Hello All,

The CPU released yesterday (Oct 15, 2013) by Oracle included information
about a fix for Java SE 7 vulnerability (Issue 69) that was reported to
the company in July.

Issue 69 allows to conduct a very classic attack against Java VM - the so
called class spoofing attack. To quote the paper from 2002 [1] (5.2 Class
Loader attack / class spoofing paragraph):

"Protection of Class Loader objects is one of the key aspects of the Java
Virtual Machine security. This is due to the role Class Loaders play in
the process of class loading and dynamic linking. Class Loaders are
responsible for providing JVM with classes’ definitions. When doing this,
Class Loaders always make sure that a given class file is loaded into Java
Runtime only once by a given Class Loader instance. Additionally, they make
sure that there exists only one and unique class file for a given class
These two requirements are maintained in order to provide proper separation
of namespaces belonging to different Class Loader objects. [...] for each
instance of Class Loader object, separate namespace is maintained. Each such
namespace contains a unique set of classes that were loaded by a given Class
Loader instance. Because of the possibility that two different Class Loader
objects can exist in one JVM, proper maintenance of their namespaces is
critical to the overall JVM security. This is primarily due to the fact that
any overlapping of two different namespaces can easily lead to class
and as a result, to type confusion attack."

Issue 69 allows to violate the security constraints imposed on Class Loaders
that guard their namespaces. This is due to new Reflection API and the
way it
was implemented at the core VM level.

With new Reflection API, Method Handles got introduced to Java as a form of
arbitrary code execution transfer.

Additional quote from same abovementioned paper states the following:

"There exist at least two other theoretical variants, which could be used to
conduct class spoofing attack without implicit use (and overriding) of
the Class
Loader’s loadClass method. Both of these attacks are based upon the idea of
spoofing class definitions at the point in a Java program when code
is transferred from one namespace to the other. In Java, such execution
can be done with the use of exceptions and virtual methods. In the first
an attack variant known as Princeton Class Loader attack was identified
in the
past. This attack was based upon the fact that exceptions could be thrown in
one namespace and caught in the other. As a result, a definition of a
of java.lang.Throwable class could be spoofed and confused along different
namespaces. In the second variant of the class spoofing attack, an arbitrary
hierarchy of classes is created. This hierarchy contains the classes
that come
from different namespaces and that define the same virtual method. Upon the
invocation of the virtual method done from one namespace, a call to its
instance in the class defined in the other namespace could be
theoretically done.
Consequently, some arbitrary types of the method’s arguments could be
as they could be defined differently in different namespaces."

Our class spoofing attack relies on the possibility to transfer code
from one Class Loader namespace to the other one by the means of Method
The transfer is done across a method signature that has a different
for a given named type in both Class Loader namespaces. Thus, class

In normal circumstances, presence of conflicting class names (spoofed
in a method signature should be caught by Java VM. This was not the case
for new
Reflection API and Method Handle based calls done across Class Loader

Actual details and a Proof of Concept code illustrating the described
and class spoofing attack are available at the following address:


Due to the fact that in Sep 2013 Oracle backported (from JDK 8)
implementation of
the affected component to JDK 7 Update 40, the POC code will only work
on Java SE
7 Update 25 and below.


As for other things, we would also like to report that a new
vulnerability notice
was sent to IBM today. It included information and Proof of Concept
codes for two
new complete Java sandbox escape vulnerabilities affecting IBM SDK, Java
Edition, Version 7.0 SR5 (Linux 32-bit x86 build pxi3270sr5-20130619_01
SR5 tested).

Apart from that we also pointed out to IBM that one of the issues
originally reported
to the company in Sep 2012 has not been fixed properly. The patch for it
(the second
attempt to address it) can be still successfully bypassed. As a result,
complete Java
security sandbox escape can be gained in the environment of vulnerable

Thank you.

Best Regards
Adam Gowdiak

Security Explorations
"We bring security research to the new level"


[1] Java and Java VM security vulnerabilities and their exploitation
Last Stage of Delirium Research Group, http://lsd-pl.net/
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By