lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 16 Dec 2014 10:05:13 +0100
From: Security Explorations <contact@...urity-explorations.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Cc: security@...gle.com
Subject: [FD] [SE-2014-02] Google App Engine Java security sandbox bypasses
 (status update)


Hello All,

We would like to provide a status update to the initial
announcement [1] made a week ago regarding our SE-2014-02
security research project targeting Google App Engine
for Java.

Information regarding vulnerabilities and associated PoC
codes (Issues 1-22 / unconfirmed Issues 23-35) was sent
to Google on Dec 07, 2014.

Google has been able to reproduce the issues locally, but
when tried in production some of them didn't seem to work
(27 unexploitable issues with barely 7 candidates to work).
The reason was that our custom local GAE environment didn't
properly emulate Google App Engine production environment
(we did check availability of selected classes, but in this
particular class loader case, not all classpath JAR files
were immediately available to user code in production GAE).

At the same time, Google said that it would be OK for the
company that we continue the research as long as it is done
within the Java VM and not moved on to the next sandboxing
layer (OS sandbox).

We agreed and 5 days ago started playing with GAE again.

We used those extra days to discover new issues in GAE Java
sandbox, rewrite old / develop new POC codes and gather the
necessary data for a planned publication on the topic.

We ended up with 21 Issues "confirmed in production" (and
pending Google confirmation) with some quite interesting
findings among them (i.e. in core GAE Java security layer).

Being back on track, we can now refer you to the official
SE-2014-02 project pages that present a summary of our
communication process with the vendors and a project FAQ:

http://www.security-explorations.com/en/SE-2014-02-status.html
http://www.security-explorations.com/en/SE-2014-02-faq.html

We take this opportunity to thank Google for reenabling our
GAE account and making it possible to complete our project.
We really appreciate it.

Thank you.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] [SE-2014-02] Google App Engine Java security sandbox
     bypasses (project pending completion / action from Google)
     http://seclists.org/fulldisclosure/2014/Dec/26


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists