lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 10 Jul 2004 16:07:25 +0200 (MES)
From: Marc Schoenefeld <schonef@...-muenster.de>
To: bugtraq@...urityfocus.com
Subject: Covert Channels allow Cross-Site-Java in Microsoft VM


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi y'all,
I have not found the contact address for microsoft jvm
security issues, therefore maybe someone who reads
bugtraq can forward this:
in the Microsoft (R) VM for Java, 5.0 Release 5.0.0.3810
the implementation  of some core system classes allows to
create covert channels between applets that are
loaded from different websites (aka cross-site java).
As these applet they share a common class loader for
the system classes all public static (non-final)
fields can be used to create a covert channel in accordance
to the sandbox restriction and exchange cross-site
information. This may be used for security zone violation
and general data leakage.

When you load the two applets:

A:http://www.tauwerkkunst.de/javatest/SiteA/CovAppletFNMap.html

and

B:http://www.beauchamp.de/tauwerk/javatest/SiteA/CovAppletFNMap.html

you can use the commands

PUT/Key/Value  to create an entry in the shared hashtable of the applets
GET/Key to read an entry in the shared hashtable of the applets

'Key' and 'Value' are string values.

So if you PUT/TopScorer/Makaay in the lower textbox and press "Perform
Action" and then switch to applet B which has an identical look and enter
'GET/TopScorer' and "Perform Action" you will be prompted with 'Makaay',
which is an information that should only be known to applet A.

I think this is a major violation of sandbox constraints.

Sincerely
Marc

P.S: Read some more java stuff at www.illegalaccess.org




- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (AIX)

iD8DBQFA7/ggqCaQvrKNUNQRAifIAJ9deBwncOjGHVY10MFF20HmCjEjpgCeOydd
9tX6TX6j3CfFYgGeWJ8uD0k=
=Yp27
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ