[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass



Hi Roberto,
nice to see you always alive and kicking!

It seems we found the same stuff :) my bad I haven't yet published it.

Soon also my advisory with some collateral effect^N^N^N^N^N^Nthoughts.

Cheers
Stefano


Il giorno mer, 20/10/2010 alle 00.20 +1300, Roberto Suggi Liverani ha
scritto:
> (    , )     (,
>   .   `.' ) ('.    ',
>    ). , ('.   ( ) (
>   (_,) .`), ) _ _,
>  /  _____/  / _  \    ____  ____   _____  
>  \____  \==/ /_\  \ _/ ___\/  _ \ /     \ 
>  /       \/   |    \\  \__(  <_> )  Y Y  \
> /______  /\___|__  / \___  >____/|__|_|  /
>         \/         \/.-.    \/         \/:wq 
>                     (x.0)
>                   '=.|w|.='
>                   _='`"``=.
> 
>               presents..
> 
> Oracle JRE - java.net.URLConnection class – 
> Same-of-Origin (SOP) Policy Bypass
> 
> PDF: 
> http://www.security-assessment.com/files/advisories/Oracle_JRE_java_net_urlconnection_SOP_Bypass.pdf
> CVE Identifier: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3573
> 
> 
> +-----------+
> |Description|
> +-----------+
> 
> Security-Assessment.com discovered that a Java Applet 
> making use of java.net.URLConnection class can be used 
> to bypass same-of-origin (SOP) policy and domain based 
> security controls in modern browsers when communication 
> occurs between two domains that resolve to the same IP 
> address. This advisory includes a Proof-of-Concept 
> (PoC) demo and a Java Applet source code, which 
> demonstrates how this security can be exploited to leak 
> cookie information to an unauthorised domain, which 
> resides on the same host IP address.
> 
> +------------+
> |Exploitation|
> +------------+
> 
> The Flash movie demo can be viewed at the following 
> link:
> 
> http://www.security-assessment.com/files/advisories/java_net_urlconnection_sop_bypass_demo.swf
> 
> Proof of Concept (PoC) in demo demonstrates that a 
> Cross Site Request Forgery (XSRF) attack can be leveraged 
> by using a Java Applet which implements the 
> java.net.URLConnection class. Traditionally, XSRF is used 
> to force a user to perform an unwanted action on a target 
> web site. In this case, the PoC shows that XSRF can be 
> used to capture sensitive information such as cookie 
> associated to a target web site.
> 
> The following assumptions are made in this PoC:
> 
> 1. Virtual hosts www.targetsite.net and 
> www.badsite.com resolve to the same IP address;
> 
> 2. Malicious user controls www.badsite.com web site;
> 
> 3. Malicious user targets www.targetsite.net users.
> 
> The following list summarises the sequence of actions 
> shown in the demo:
> 
> 
> 1. User has a valid cookie for www.targetsite.net
> 
> 2. The same user visits www.badsite.com which performs 
> a cross site forged request to www.targetsite.net . 
> The forged request is performed by a Java Applet 
> embedded on the malicious site. The Java Applet 
> bypasses the Same-of-Origin policy as an unsigned Java 
> Applet should not be able to communicate 
> from www.badsite.com to www.targetsite.net without 
> a crossdomain.xml policy file.
> 
> 3. Java Applet performs first GET request to 
> www.targetsite.net. At this stage, the Java Applet 
> controls the Cookie: header sent to www.targetsite.net
> through the getRequestProperty("cookie") method.
> This is in breach with SOP.
> 
> 4. A second request is done for the purpose 
> of the demo which leaks www.targetsite.net 
> cookie’s to www.badsite.com via an HTTP GET 
> request.
> 
> 
> Testing was successfully performed using Java(TM) 
> SE Runtime Environment (build 1.6.0_21-b07) and the 
> following browsers:
> 
> - Mozilla Firefox 3.5.8 (Windows XP)
> - Opera 10.60 (Windows XP)
> - Internet Explorer 6.0.2900.5512 (Windows XP)
> - Google Chrome 5.0.375.9 (Windows XP)
> - Internet Explorer 8.0.6001.18702 (Windows XP)
> - Safari 5.0 (7533.16) (Windows XP)
> 
> The Java Applet source code used in the demo can be 
> downloaded at the following link:
> 
> http://www.security-assessment.com/files/advisories/MaliciousJavaApplet.zip
> 
> +--------+
> |Solution|
> +--------+
> 
> Security-Assessment.com follows responsible disclosure
> and promptly contacted Oracle after discovering
> the issue. Oracle was contacted on August 1,
> 2010.
> 
> Oracle has created a fix for this vulnerability which 
> has been included as part of Critical Patch Update 
> Advisory - October 2010. Security-Assessment.com 
> recommends all users of JRE and JDK to upgrade to 
> the latest version as soon as possible. 
> 
> For more information on the new release of JRE/JDK 
> please refer to the link:
> 
> http://www.oracle.com/technetwork/java/javase/downloads/index.html
> 
> +------+
> |Credit|
> +------+
> 
> Discovered and advised to Oracle
> August 2010 by Roberto Suggi Liverani of 
> Security-Assessment.com.
> 
> Personal site: http://malerisch.net
> 
> +-----+
> |Extra|
> +-----+
> 
> Another interesting attack was discovered as part 
> of the research on this vulnerability.
> This attack is another example of leveraging XSRF 
> with the potential of leaking cookie, basic and digest
> authentication tokens using Java Applet and the 
> "Compability with older browser" feature in 
> Apache Web Server.
> 
> For a PDF version of this research please follow the link below:
> 
> http://www.security-assessment.com/files/whitepapers/Leveraging_XSRF_with_Apache_Web_Server_Compatibility_with_older_browser_feature_and_Java_Applet.pdf
> 
> 
> +-----------------------------+
> |About Security-Assessment.com|
> +-----------------------------+
> 
> Security-Assessment.com is a New Zealand based world
> leader in web application testing, network security
> and penetration testing. Security-Assessment.com
> services organisations across New Zealand, Australia,
> Asia Pacific, the United States and the United
> Kingdom.
> 
> Roberto Suggi Liverani
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/