Java MBeanInstantiator findClass and Introspector Sandbox Escape

Added: 03/04/2013
CVE: CVE-2013-0431
BID: 57726
OSVDB: 89613


Java is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets.


Java versions prior to 7 Update 13 are vulnerable to a sandbox security bypass due to a misuse of the java.lang.reflect.Method class by the com.sun.jmx.mbeanserver.Introspector class. When combined with the MBeanInstantiator findClass vulnerability from CVE-2013-0422, this may allow an attacker to embed malicious java applets into a webpage and have a payload of their choice execute on a victim's system while bypassing all security warnings.


Apply the updates specified in the Oracle Java SE Critical Patch Update Advisory - February 2013.



This exploit has been tested against Oracle JRE 7 Update 11 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn).



Back to exploit index