lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.A41.4.58.0408090102380.49816@zivunix.uni-muenster.de>
Date: Mon, 9 Aug 2004 01:12:57 +0200 (MES)
From: Marc Schoenefeld <schonef@...-muenster.de>
To: bugtraq@...urityfocus.com
Subject: Java XSLT security advisory addendum


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

============================================
Illegalaccess.org security advisory addendum
============================================

Vendor informed:
April, 2004

Public Advisory released:
August 2, 2004

Today:
August 9,  2004

URL:
http://www.illegalaccess.org

Original advisory:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57613


Threat:
In all versions of JDK 1.4.x a vulnerability
exists that allows to juggle XSLT processing classes
inside the JVM that enable entities to sniff
XML data that is processed with the XSLT processor anywhere
is the same JVM.
We called this technique "XML sniffing" and is
based on covert channels. The paper "Antipatterns in
JDK security and refactorings" presented at
DIMVA 2004 (Dortmund, Germany, 7th of July 2004) shows
the general principle of covert channels between
distinct java protection domains.

Scope:
In addition to the Sun Advisory all boundaries between
java protection domains can be traversed by XML sniffing.
The threat is NOT LIMITED TO APPLETS, so in a web server
environment an unprivileged
servlet may inject hook code in the XSLT processor management
data structures that sniffs the XML data which is processed
by the XSLT processor throughout the whole tomcat or j2ee server
and finally passes it back to the injector class.
As well may an unprivileged application started by Java
Webstart sniff XML data loaded from a signed application, when
executing XSLT operations. This should be taken into account
when processing confident data with JDK 1.4 based software.
Short: Any unprivileged class in the JVM may sniff all
XML passing through the XSLT processor.

Details & Exploit:
A detailed description of the framework that allows detection
of those covert channels and PoC code that demonstrates the
flaw in detail will be included in an upcoming paper, and in
my upcoming PhD thesis at Bamberg university. So be sure
to preorder a signed copy of the thesis:-)

Sincerely
Marc Schoenefeld


- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (AIX)

iD8DBQFBFrN9qCaQvrKNUNQRAn+VAJwI72zwrvZEiDGrjxrKKAHFC9KMrACbB8ch
mofWFyw0U4ImrPgZb4kk3bY=
=0ZEy
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ