Miggo Logo

CVE-2007-6382: Robocode Arbitrary Code Execution

6.8

CVSS Score

Basic Information

EPSS Score
0.72508%
Published
5/1/2022
Updated
9/21/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
net.sf.robocode:robocode.coremaven< 1.5.11.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Robocode's security manager granting blanket permissions to the Event Dispatch Thread (EDT). The patch in commit 2f2867d modified the checkPermission method to restrict EDT access only to specific Robocode tools (Codesize and CacheCleaner) by inspecting the stack trace. The pre-patch version lacked this validation, allowing untrusted robot code to execute privileged operations via the EDT. The CWE-94 (Code Injection) classification and exploit description directly align with this missing stack validation in the security manager's permission check.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *v*nt *isp*t** T*r*** in Ro*o*o** ***or* *.*.* *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry J*v* *o** *y usin* * ro*ot to invok* t** `Swin*Utiliti*s.invok*L*t*r` m*t*o*.

Reasoning

T** vuln*r**ility st*ms *rom Ro*o*o**'s s**urity m*n***r *r*ntin* *l*nk*t p*rmissions to t** *v*nt *isp*t** T*r*** (**T). T** p*t** in *ommit ******* mo*i*i** t** `****kP*rmission` m*t*o* to r*stri*t **T ****ss only to sp**i*i* Ro*o*o** tools (*o**si