Date: Thu, 25 Nov 2004 22:22:34 +0100 (MEZ)
From: Marc Schoenefeld <schonef@...-muenster.de>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.netsys.com
Subject: Rumours about Opera


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi y'all,

to clear some rumours about Opera 7.54:

The opera guys use their own binding from javascript to java, which does not
conform to the java plug-in. Moreover they expliclity allowed access to the
sun.* packages in the default security configuration, so there is no need
for a magic exploit.  I reported that misery to opera on the 1st of
september, so they should be aware of their java problems.

Remember that java 1.4.2_04 (and less) driven applets also allow covert
channels between applets from different sites. This is exploitable by a
second order attack where a shared public variable in the XSLT processor can
be used by a passive attacker. He is able to inject a piece of sleeping java
code in the JVM which gets executed when the XSLT processor is invoked.
There is an Sun advisory out there that came out in august, that warns
about the issue.

Java 1.4.2_05 also has a vulnerability in the serialization APIs (used by
RMI) that allows to overload a remote JVM [and drive uptime loads
to the 100s]. I reported that to Sun on the 11th of April.
It is fixed in 1.4.2_06, too.

P.S.: Have phun with java, but maybe you should consider
python for productivity.
[http://www.ferg.org/projects/python_java_side-by-side.html , great
stuff steven!]

marc schoenefeld
http://www.illegalaccess.org





On Thu, 25 Nov 2004, Alla Bezroutchko wrote:

> Date: Thu, 25 Nov 2004 11:33:03 +0100
> From: Alla Bezroutchko <alla@...nit.be>
> To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
> Subject: Re: Sun Java Plugin arbitrary package access vulnerability
>
> Jouko Pynnonen wrote:
>
> > A vulnerability in Java Plugin allows an attacker to create an Applet
> > which can disable Java's security restrictions and break out of the
> > Java sandbox.
>
> <skip>
>
> > The Java Plugin versions 1.4.2_04 and 1.4.2_05 were tested on Windows
> > and Linux. Web browsers tested were Microsoft Internet Explorer,
> > Mozilla Firefox and Opera. It should be noted that Opera uses a
> > different way of connecting JavaScript and Java which caused the test
> > exploit not to work on Opera. However the problem itself (access to
> > private packages) was demonstrated on Opera too, so it may be
> > vulnerable to a variation of the exploit.
>
> As noted by rodmoses(at)yahoo(dot)com Opera remains vulnerable even
> after the upgrade of JVM to version 1.4.2_06. (tested on Windows XP SP2,
> Opera 7.54, J2SE 1.4.2_06).
>
> According to Jouko, Opera does not use Java plugin, but has its own
> interface to Java. The fact that the problem is still present after JVM
> upgrade probably means that there is an independent  bug in Opera Java
> interface which has the same effect as the bug in Sun Java Plugin.
>
> AFAIK there is no fix for Opera yet. I have reported this bug to Opera
> through their web interface (bug-158156).
>
> There is an online test for this bug at Browser Security Test
> (http://bcheck.scanit.be/bcheck/). Go to
> http://bcheck.scanit.be/bcheck/choosetests.php if you only want to run
> the test for this particular bug.
>
> Alla.
>
>

- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (AIX)

iD8DBQFBpk0dqCaQvrKNUNQRAoWgAJ49D1DuDCRwAFp4VKIbdVHz0qdhuACfQA5+
S/edMzVv1vZsyPSXkhk7GDw=
=NXu5
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists