[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Re: Java 1.4.2_02 InsecurityManager JVM crash

To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] Re: Java 1.4.2_02 InsecurityManager JVM crash
From: Torsten Lodderstedt <tolo@informatik.uni-freiburg.de>
Date: Tue, 28 Oct 2003 10:21:42 +0100

Hi Marc,

> either they (Sun) remove the deprecated functions completely  or they
> introduce permissions which explicitly allow to call deprecated stuff.
> An adversary does not care whether the function he uses to interfere
> correct operation is deprecated. Deprecation is not a security feature,
> correct and aware coding is.

I agree with you that such deprecated features should be removed. There
are just to much deprecated features in Java that propably confuse people.

But I don't understand you excitement about the bug itself. What's your
point? Ok, you found a way to chrash the jvm using native code in the
security manager implementation. But is this really something you can
*exploit*, e.g. to crash (1) a client's web browser or (2) a production
server machine? To exploit the flaw you require the permission to
instantiate a security manager in such an environment.

1) The jvm in a web browser always runs under the control of the Java
security manager. So, what you
will get is the following exception:

java.security.AccessControlException: access denied
(java.lang.RuntimePermission createSecurityManager)
    at java.security.AccessControlContext.checkPermission(Unknown Source)
    at java.security.AccessController.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPermission(Unknown Source)
    at java.lang.SecurityManager.<init>(Unknown Source)
    *at InSecurityManager.<init>(InSecurityManager.java:1)*
    *at InSecurityManager.main(InSecurityManager.java:8)*
    at MyApplet.init(MyApplet.java:20)
    at sun.applet.AppletPanel.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

2) Similar, it is recommended that application server run under the
control of the security manager (-Djava.security.manager).
For example, weblogic server does it automatically. So you will
experience the same reaction as above.

regards,
Torsten.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] Coding securely, was Linux (in)security
Next by Date: [Full-Disclosure] Week 43 Security Vulnerabiliites
Previous by thread: [Full-Disclosure] Bytehoard File Disclosure VUlnerability Sequel
Next by thread: [Full-Disclosure] Week 43 Security Vulnerabiliites
Index(es):
- Date
- Thread