Rule Category

FILE-JAVA -- Snort has detected traffic targeting vulnerabilities that are exploited in java files such as .class or .jar.

Alert Message

FILE-JAVA IBM Java invokeWithPrivilege method call attempt

Rule Explanation

This event is generated when a user attempts to download a .class file that contains a call to the invokeWithPrivilege() method, which can be used to escape vulnerable IBM Java sandboxes. Impact: Attempted User Privilege Gain Details: Rule checks for a .class containing a call to invokeWithPrivilege() from the com.ibm.rmi.util.ProxyUtil class. Ease of Attack: Hard

What To Look For

Known Usage

No public information

False Positives

Known false positives, with the described conditions

Any .class file containing the method will be detected.

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Rule Vulnerability

CVE Additional Information

CVE-2012-4820
Unspecified vulnerability in the JRE component in IBM Java 7 SR2 and earlier, Java 6.0.1 SR3 and earlier, Java 6 SR11 and earlier, Java 5 SR14 and earlier, and Java 142 SR13 FP13 and earlier; as used in IBM Rational Host On-Demand, Rational Change, Tivoli Monitoring, Smart Analytics System 5600, Tivoli Remote Control 5.1.2, WebSphere Real Time, Lotus Notes & Domino, Tivoli Storage Productivity Center, and Service Deliver Manager; and other products from other vendors such as Red Hat, when running under a security manager, allows remote attackers to gain privileges by modifying or removing the security manager via vectors related to "insecure use of the java.lang.reflect.Method invoke() method."
Details
SeverityHIGH Base Score9.3
Impact Score10.0 Exploit Score8.6
Confidentiality ImpactCOMPLETE Integrity ImpactCOMPLETE
Availability ImpactCOMPLETE Access Vector
AuthenticationNONE Ease of Access