lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5174E1E5.9070607@security-explorations.com>
Date: Mon, 22 Apr 2013 09:08:21 +0200
From: Security Explorations <contact@...urity-explorations.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [SE-2012-01] Yet another Reflection API flaw
 affecting Oracle's Java SE


Hello All,

Today, a vulnerability report with an accompanying Proof of
Concept code was sent to Oracle notifying the company of a
new security weakness affecting Java SE 7 software.

The new flaw was verified to affect all versions of Java SE
7 (including the recently released 1.7.0_21-b11). It can be
used to achieve a complete Java security sandbox bypass on
a target system. Successful exploitation in a web browser
scenario requires proper user interaction (a user needs to
accept the risk of executing a potentially malicious Java
application when a security warning window is displayed).

What's interesting is that the new issue is present not only
in JRE Plugin / JDK software, but also the recently announced
Server JRE as well [1]. Those concerned about a feasibility
of exploitation of Java flaws in a server environment should
consult Guideline 3-8 of "Secure Coding Guidelines for a Java
Programming Language" [2]. It lists the following software
components and APIs as potentially prone to the execution of
untrusted Java code:
- Sun implementation of the XSLT interpreter,
- Long Term Persistence of JavaBeans Components,
- RMI and LDAP (RFC 2713),
- Many SQL implementations.

In Apr 2012 [3], we reported our first vulnerability report
to Oracle corporation signaling multiple security problems in
Java SE 7 and the Reflection API in particular. It's been a
year since then and to our true surprise, we were still able
to discover one of the simplest and most powerful instances
of Java Reflection API based vulnerabilities. It looks Oracle
was primarily focused on hunting down potentially dangerous
Reflection API calls in the "allowed" classes space. If so,
no surprise that Issue 61 was overlooked.

Thank you.

Best Regards
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] Server JRE (Java SE Runtime Environment) 7 Downloads
 
http://www.oracle.com/technetwork/java/javase/downloads/server-jre7-downloads-1931105.html
[2] Secure Coding Guidelines for the Java Programming Language, Version 4.0
     http://www.oracle.com/technetwork/java/seccodeguide-139067.html
[3] SE-2012-01 Vendors status
     http://www.security-explorations.com/en/SE-2012-01-status.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ