[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [LSD] Security vulnerability in SUN's Java Virtual Machine implementation

Hi Alla,

Sun also applied the classloading fix to java.net.URLClassLoader, according
to my jardiffer tool, which automatically finds the location of
those fixes.

I am waiting for the detailed paper of LSD, because loading the class
is only a first tiny step to get real control, although if you load enough
classes you have at least a Denial-of-Service. But I am sure they
will have a good exploit in their sleeve.

IMHO there already enough dangerous classes deployed in the rt.jar
of the JDK. q.e.d. with the floppy hardware attack on IE&
(http://www.illegalaccess.org/exploits/java/applet/MyFloppySucks.html)

Marc

P.S.: on Opera 7.21 , Java 1.4.2_02 enabled your
 applet just displays a gray box .....



On Tue, 28 Oct 2003, Alla Bezroutchko wrote:

> Date: Tue, 28 Oct 2003 10:32:07 +0100
> From: Alla Bezroutchko <alla@scanit.be>
> To: bugtraq@securityfocus.com
> Subject: Re: [LSD] Security vulnerability in SUN's Java Virtual Machine
>     implementation
>
>
>
> Last Stage of Delirium wrote:
> > Hello,
> >
> > We have found a security vulnerability in the SUN's implementation of the 
> > Java
> > Virtual Machine, which affects the following SDK and JRE releases:
> > -   SDK and JRE 1.4.1_03 and earlier
> > -   SDK and JRE 1.3.1_08 and earlier
> > -   SDK and JRE 1.2.2_015 and earlier.
>
> The following applet tests for this vulnerability:
>
> ------------------------------------------------------------------
> import java.applet.Applet;
> import java.awt.Graphics;
> import java.lang.Class;
> import java.security.AccessControlException;
>
> public class Simple extends Applet {
>
>      StringBuffer buffer;
>
>      public void init() {
>          buffer = new StringBuffer();
>      }
>
>      public void start() {
>          ClassLoader cl = this.getClass().getClassLoader();
>          try {
>                  Class cla =
> cl.loadClass("sun/applet/AppletClassLoader"); // Note the slashes
>                  addItem("No exception in loadClass. Vulnerable!");
>          } catch (ClassNotFoundException e) {
>                  addItem("ClassNotFoundException in loadClass - " + e);
>          } catch (AccessControlException e) {
>                  addItem("AccessControlException in loadClass - Not
> Vulnerable!");
>          }
>
>      }
>
>      void addItem(String newWord) {
>          System.out.println(newWord);
>          buffer.append(newWord);
>          repaint();
>      }
>
>      public void paint(Graphics g) {
>          //Draw a Rectangle around the applet's display area.
>          g.drawRect(0, 0, size().width - 1, size().height - 1);
>
>          //Draw the current string inside the rectangle.
>          g.drawString(buffer.toString(), 5, 15);
>      }
> }
> ----------------------------------------------------------------
>
> This test can be found here: http://bcheck.scanit.be/bcheck/applet.html
>
> If Sun Java VM is installed, the applet runs and says if VM is
> vulnerable or not.
>
> I am loading sun.applet.AppletClassLoader, but it could be any other
> class from sun. package tree.
>
> I don't know how this bug is exploitable, because whenever I try to do
> anything at all with a class loaded this way, for example, create an
> instance of it or call methods, I get SecurityManager's exceptions.
> Gotta wait patiently until LSD releases more details.
>
> I've tested Internet Explorer 6 and Mozilla Firebird. Internet Explorer
> is exploitable if confgured to use Sun Java VM instead of Microsoft VM.
>
> Alla.
>
>

--

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer