Oracle Java Rhino Script Engine Code Execution

Added: 12/02/2011
CVE: CVE-2011-3544
BID: 50218
OSVDB: 76500


Java is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets.
Java includes a version of Javascript called Rhino. In addition to providing basic Javascript functionality, Rhino also allows Java objects to interact with Javascript variables.


Rhino content is run outside the control of the Java SecurityManager, with its own security layer. A vulnerability exists when a Rhino script defines a toString method for the 'this' object, where the method can disable the SecurityManager for the entire applet and run malicious payload. If an error object's message property is set to this and returned, an attacker can execute arbitrary code on the target system.


Upgrade to Oracle JRE 6 Update 28 or later.



This exploit has been tested against Oracle JRE 6 Update 27 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn).



Back to exploit index