CVE-2015-4843 PoC — Oracle Java SE和Java SE Embedded Libraries子组件安全漏洞

Source

https://github.com/Soteria-Research/cve-2015-4843-type-confusion-phrack

Associated Vulnerability

Title:Oracle Java SE和Java SE Embedded Libraries子组件安全漏洞 (CVE-2015-4843)
Description:Oracle Java SE和Java SE Embedded都是美国甲骨文（Oracle）公司的产品。Java SE（Java 平台标准版）用于开发和部署桌面、服务器以及嵌入设备和实时环境中的Java应用程序；Java SE Embedded是一款针对嵌入式系统开发功能强大、可靠、可移植的应用程序的Java平台。 Oracle Java SE和Java SE Embedded的Libraries子组件中存在安全漏洞。远程攻击者可利用该漏洞控制组件，执行任意代码，影响数据的保密性，完整性及可用性。以下产品

Readme

# Description
Deatils for the vulnerability is disucssed on [confluence](https://thehut.atlassian.net/wiki/spaces/SOT/pages/3701669956/CVE-2015-4843+-+Phrack+paper). 
This repo has been picked up after a few years on being dead, not looked at the `DisabledSecurityManager` code.
## TypeConfusionDemo
## OverflowDemo
This is a demo that shows we can overflow into before the `dst` array. This demo works on `aarch64` and `morello`, although the overflow is only stopped on the WIP branch where the bounds are tightly contrained. Which is pretty cool as it shows that using cheri capabilities alone does not offer the sufficient portection for managed runtimes, and we need to constrain our heap.  
## TypeConfusionDemo
This demo should that by copying a `FakeClass oop` into an array of `RealClass` by using the overflow, we cam type confused it and make it execute the function of `FakeClass`. This demo only works on `aarch64`, as on `morello` an `oop` would not be a `MemoryAddress`, and we can't use `IntBuffer` exploit anymore. Which is an interesting side benefit to our port.
# How to run
Both the overflow and type confusion can be run from the jar witjh arg:
* `overflow`: runs the `OverflowDemo`
* `confusion`: runs the `TypeConfusionDemo`

an example is:
`./build/bsd-aarch64-template-aarch64-release/jdk/bin/java -Xmx8G -Xms8G -XX:+UnlockExperimentalVMOptions -XX:+UseEpsilonGC -jar /home/slatere/phrack/target/TestOverflow-1.0-SNAPSHOT-jar-with-dependencies.jar confusion`

the jar is generated onto the remote by using the [build-phrack.yml](https://github.com/Soteria-Research/generic-playbooks/blob/master/ansible/benchmarks/build-phrack.yml).

File Snapshot


 [4.0K]  /data/pocs/1b2952e64c7de5aecc2f99b634413e9ff1b612f0
├── [ 632]  idx_calculator.py
├── [2.0K]  pom.xml
├── [1.6K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            ├── [4.0K]  DisableSecurityManager
            │   ├── [ 494]  DefaultFakeClassLoader.java
            │   ├── [2.9K]  DisableSecurityManager.java
            │   ├── [3.1K]  FakeClassLoader.java
            │   └── [ 457]  ObjectToByteArray.java
            ├── [ 840]  Main.java
            └── [4.0K]  TypeConfusionDemo
                ├── [1.0K]  DemoHelper.java
                ├── [ 427]  FakeClass.java
                ├── [1.5K]  OverflowDemo.java
                ├── [ 173]  ParentClass.java
                ├── [ 437]  RealClass.java
                └── [1.8K]  TypeConfusionDemo.java

5 directories, 14 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!