[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BAY16-DAV13sz4RqPm30004dbd9@hotmail.com>
Date: Sat, 10 Jul 2004 20:04:47 -0700
From: "Siva Subbu" <sivasub23@...mail.com>
To: "Marc Schoenefeld" <schonef@...-muenster.de>,
<bugtraq@...urityfocus.com>
Subject: Re: Covert Channels allow Cross-Site-Java in Microsoft VM
Hello Marc,
I tried to reproduce this but I couldn't.
I see a null pointer exception in the Java Console and I don't get the
contents in Applet B which were put in Applet A.
I get this error
Magath
Exception occurred during event dispatching:
java.lang.NullPointerException
at FNMAP.getContentTypeFor
at CovAppletFNMap$MyButtonListener.actionPerformed
at java/awt/Button.processActionEvent
at java/awt/Button.processEvent
at java/awt/Component.dispatchEventImpl
at java/awt/Component.dispatchEvent
at java/awt/EventDispatchThread.run
Is there a problem with the repro code?
Thanks,
H.K.
----- Original Message -----
From: "Marc Schoenefeld" <schonef@...-muenster.de>
To: <bugtraq@...urityfocus.com>
Sent: Saturday, July 10, 2004 7:07 AM
Subject: Covert Channels allow Cross-Site-Java in Microsoft VM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi y'all,
I have not found the contact address for microsoft jvm
security issues, therefore maybe someone who reads
bugtraq can forward this:
in the Microsoft (R) VM for Java, 5.0 Release 5.0.0.3810
the implementation of some core system classes allows to
create covert channels between applets that are
loaded from different websites (aka cross-site java).
As these applet they share a common class loader for
the system classes all public static (non-final)
fields can be used to create a covert channel in accordance
to the sandbox restriction and exchange cross-site
information. This may be used for security zone violation
and general data leakage.
When you load the two applets:
A:http://www.tauwerkkunst.de/javatest/SiteA/CovAppletFNMap.html
and
B:http://www.beauchamp.de/tauwerk/javatest/SiteA/CovAppletFNMap.html
you can use the commands
PUT/Key/Value to create an entry in the shared hashtable of the applets
GET/Key to read an entry in the shared hashtable of the applets
'Key' and 'Value' are string values.
So if you PUT/TopScorer/Makaay in the lower textbox and press "Perform
Action" and then switch to applet B which has an identical look and enter
'GET/TopScorer' and "Perform Action" you will be prompted with 'Makaay',
which is an information that should only be known to applet A.
I think this is a major violation of sandbox constraints.
Sincerely
Marc
P.S: Read some more java stuff at www.illegalaccess.org
- --
Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous
Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (AIX)
iD8DBQFA7/ggqCaQvrKNUNQRAifIAJ9deBwncOjGHVY10MFF20HmCjEjpgCeOydd
9tX6TX6j3CfFYgGeWJ8uD0k=
=Yp27
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists