[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTik5osENW3p9mvskX1hWenaJX3poR0zx0_iXLDWO@mail.gmail.com>
Date: Wed, 20 Oct 2010 14:49:44 -0700
From: Chris Evans <scarybeasts@...il.com>
To: Billy Rios <billy.rios@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Security-Assessment.com Advisory: Oracle JRE
- java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
On Wed, Oct 20, 2010 at 2:29 PM, Billy Rios <billy.rios@...il.com> wrote:
> In the patch for CVE-2008-5343 (GIFAR) Sun tightened their file parsing
> rules for remote JAR files, making it harder to smuggle JAR files onto the
> end of other filetypes. This makes it more difficult to create a GIF+JAR
> hybrid file. AFAIK, local JAR files were considered out of scope and will
> not be subject to the additional file parsing scrutiny.
Do you have a link to details on how the new parsing heuristic works, and
how "remote" is determined?
> Sun/Oracle has not removed the ability to modify arbitrary HOST headers.
>
Isn't that what they fixed in response to Roberto's latest report? Roberto,
any idea what was changed?
Cheers
Chris
> So, if an attacker can upload a JAR file to a web app, they will have the
> ability to jump to any domain (virtual hosted or subdomain) that exists on
> the server. The cookies sent by the applet will be from the domain provided
> in the URL object, however the content returned by the server will be from
> the domain specified in the HOST header. This can cause havoc for places
> where separation relies on subdomains (like wordpress.com et al.) where
> users have by-design control of content on one subdomain and uses that
> content to target users on a different subdomain.
>
> Java also doesn't respect file extension, content-type, or
> content-disposition returned by the web server making it a bit easier to
> upload JAR files to unsuspecting web apps.
>
>
> BK
>
>
> On Wed, Oct 20, 2010 at 1:18 PM, Chris Evans <scarybeasts@...il.com>wrote:
>
>> On Wed, Oct 20, 2010 at 8:58 AM, Michal Zalewski <lcamtuf@...edump.cx>wrote:
>>
>>> > Security-Assessment.com follows responsible disclosure
>>> > and promptly contacted Oracle after discovering
>>> > the issue. Oracle was contacted on August 1,
>>> > 2010.
>>>
>>> My understanding is that Stefano Di Paola of Minded Security reported
>>> this back in April; and further, the feature was a part of reasonably
>>> well-documented functionality of Java pretty much ever since:
>>>
>>> http://download.oracle.com/javase/6/docs/api/java/net/URL.html
>>
>>
>> The Host: header trick was also used back in 2008 in Billy Rios' GIFAR
>> attack -- to get around the fact that Picasa hosts images on a separate
>> domain:
>>
>> http://xs-sniper.com/blog/2008/12/17/sun-fixes-gifars/
>>
>> The blog post title was "SUN Fixes GIFARs", although it's not immediately
>> obvious to me what was changed or fixed.
>>
>> If anyone knows what was changed back then and/or in this latest release,
>> it would be interesting to see it documented.
>>
>>
>> Cheers
>> Chris
>>
>>
>>>
>>>
>>> "Two hosts are considered equivalent if both host names can be
>>> resolved into the same IP addresses"
>>>
>>> This was a pretty horrible design, so it's good to see it gone, though.
>>>
>>> /mz
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists