lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3F9E3526.8010200@informatik.uni-freiburg.de>
From: tolo at informatik.uni-freiburg.de (Torsten Lodderstedt)
Subject: Re: Java 1.4.2_02 InsecurityManager JVM crash

Hi Marc,

> either they (Sun) remove the deprecated functions completely  or they
> introduce permissions which explicitly allow to call deprecated stuff.
> An adversary does not care whether the function he uses to interfere
> correct operation is deprecated. Deprecation is not a security feature,
> correct and aware coding is.

I agree with you that such deprecated features should be removed. There
are just to much deprecated features in Java that propably confuse people.

But I don't understand you excitement about the bug itself. What's your
point? Ok, you found a way to chrash the jvm using native code in the
security manager implementation. But is this really something you can
*exploit*, e.g. to crash (1) a client's web browser or (2) a production
server machine? To exploit the flaw you require the permission to
instantiate a security manager in such an environment.

1) The jvm in a web browser always runs under the control of the Java
security manager. So, what you
will get is the following exception:

java.security.AccessControlException: access denied
(java.lang.RuntimePermission createSecurityManager)
    at java.security.AccessControlContext.checkPermission(Unknown Source)
    at java.security.AccessController.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPermission(Unknown Source)
    at java.lang.SecurityManager.<init>(Unknown Source)
    *at InSecurityManager.<init>(InSecurityManager.java:1)*
    *at InSecurityManager.main(InSecurityManager.java:8)*
    at MyApplet.init(MyApplet.java:20)
    at sun.applet.AppletPanel.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

2) Similar, it is recommended that application server run under the
control of the security manager (-Djava.security.manager).
For example, weblogic server does it automatically. So you will
experience the same reaction as above.

regards,
Torsten.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ