Credit: Sami Koivu, Julien Tinnes
When I was young, my mother would always warn me, “Don’t go deserializing untrusted object input streams in a privileged context.” The Java Calendar class did not heed this warning and, as expected, bad things were possible. As Sami discovered, when the object is deserialized, it is instantiated, but not by calling it’s constructor. That’d be too easy. When a subclass of a non-serializable class is deserialized, then the non-serializable parent class’ constructor is called and the sub-class’ fields are explicitly deserialized. Got that? Good. Well, if the attacker subclasses a class with a constructor that unprivileged code should not be able to call (i.e. ClassLoader), the deserialization calls the constructor within the doPrivileged() block and then explicitly sets the sub-class’ fields, which can be used to snarf a reference to the instantiated super class (ClassLoader). In a Java applet, this reference is a “get out of jail free” card.
Sami and Julien ended up exploiting this vulnerability on Firefox and Safari for Mac OS X on the first day of Pwn2own 2009, but it was disqualified because it had already been reported to the vendor. Haven’t they learned from Charlie Miller that you are supposed to sit on the vulnerability all year until Pwn2own?