lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.A41.4.44.0310272114230.121798-100000@zivunix.uni-muenster.de>
Date: Mon, 27 Oct 2003 21:44:09 +0100 (MEZ)
From: Marc Schoenefeld <schonef@...-muenster.de>
To: Alla Bezroutchko <alla@...nit.be>
Cc: bugtraq@...urityfocus.com
Subject: Re: [LSD] Security vulnerability in SUN's Java Virtual Machine
 implementation


Hi Alla,

Sun also applied the classloading fix to java.net.URLClassLoader, according
to my jardiffer tool, which automatically finds the location of
those fixes.

I am waiting for the detailed paper of LSD, because loading the class
is only a first tiny step to get real control, although if you load enough
classes you have at least a Denial-of-Service. But I am sure they
will have a good exploit in their sleeve.

IMHO there already enough dangerous classes deployed in the rt.jar
of the JDK. q.e.d. with the floppy hardware attack on IE&
(http://www.illegalaccess.org/exploits/java/applet/MyFloppySucks.html)

Marc

P.S.: on Opera 7.21 , Java 1.4.2_02 enabled your
 applet just displays a gray box .....



On Tue, 28 Oct 2003, Alla Bezroutchko wrote:

> Date: Tue, 28 Oct 2003 10:32:07 +0100
> From: Alla Bezroutchko <alla@...nit.be>
> To: bugtraq@...urityfocus.com
> Subject: Re: [LSD] Security vulnerability in SUN's Java Virtual Machine
>     implementation
>
>
>
> Last Stage of Delirium wrote:
> > Hello,
> >
> > We have found a security vulnerability in the SUN's implementation of the Java
> > Virtual Machine, which affects the following SDK and JRE releases:
> > -   SDK and JRE 1.4.1_03 and earlier
> > -   SDK and JRE 1.3.1_08 and earlier
> > -   SDK and JRE 1.2.2_015 and earlier.
>
> The following applet tests for this vulnerability:
>
> ------------------------------------------------------------------
> import java.applet.Applet;
> import java.awt.Graphics;
> import java.lang.Class;
> import java.security.AccessControlException;
>
> public class Simple extends Applet {
>
>      StringBuffer buffer;
>
>      public void init() {
>          buffer = new StringBuffer();
>      }
>
>      public void start() {
>          ClassLoader cl = this.getClass().getClassLoader();
>          try {
>                  Class cla =
> cl.loadClass("sun/applet/AppletClassLoader"); // Note the slashes
>                  addItem("No exception in loadClass. Vulnerable!");
>          } catch (ClassNotFoundException e) {
>                  addItem("ClassNotFoundException in loadClass - " + e);
>          } catch (AccessControlException e) {
>                  addItem("AccessControlException in loadClass - Not
> Vulnerable!");
>          }
>
>      }
>
>      void addItem(String newWord) {
>          System.out.println(newWord);
>          buffer.append(newWord);
>          repaint();
>      }
>
>      public void paint(Graphics g) {
>          //Draw a Rectangle around the applet's display area.
>          g.drawRect(0, 0, size().width - 1, size().height - 1);
>
>          //Draw the current string inside the rectangle.
>          g.drawString(buffer.toString(), 5, 15);
>      }
> }
> ----------------------------------------------------------------
>
> This test can be found here: http://bcheck.scanit.be/bcheck/applet.html
>
> If Sun Java VM is installed, the applet runs and says if VM is
> vulnerable or not.
>
> I am loading sun.applet.AppletClassLoader, but it could be any other
> class from sun. package tree.
>
> I don't know how this bug is exploitable, because whenever I try to do
> anything at all with a class loaded this way, for example, create an
> instance of it or call methods, I get SecurityManager's exceptions.
> Gotta wait patiently until LSD releases more details.
>
> I've tested Internet Explorer 6 and Mozilla Firebird. Internet Explorer
> is exploitable if confgured to use Sun Java VM instead of Microsoft VM.
>
> Alla.
>
>

--

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ