lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <570D505A.50806@security-explorations.com>
Date: Tue, 12 Apr 2016 21:45:30 +0200
From: Security Explorations <contact@...urity-explorations.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [FD] [SE-2012-01] Yet another broken security fix in IBM Java 7/8


Hello All,

We discovered that yet another fix for a security vulnerability in IBM
Java (Issue 70 [1] assigned CVE-2013-5456) we reported to the company
in 2013 hasn't been fixed properly.

Again, the actual root cause of the issue hasn't been addressed at all.
There were no security checks introduced anywhere in the code. The patch
primarily addressed the scenario illustrated by a Proof of Concept code.
It didn't take into account all code paths that could be used to reach
the vulnerable code sequence.

Full technical details of IBM fix bypass can be found in our technical
report:

http://www.security-explorations.com/materials/SE-2012-01-IBM-5.pdf

Along with the report, we have also published a Proof of Concept code
to illustrate the broken fix:

http://www.security-explorations.com/materials/se-2012-01-70.2.zip

What's worth to mention is that when we reported Issue 70 to IBM (Oct
16, 2013 [2]), the company responded 2 days later that as a result of
its testing of the received Proof of Concept codes against soon to be
released 4Q service update, Issue 70 has been found to be addressed.

This was the first time a vendor notified us that a reported weakness
didn't affect its internal and not yet available to the public build
of the software. Our understanding was that IBM discovered the issue
on its own and already addressed it.

Now, we think this was not the case. The company likely concluded that
there was no reason to investigate the issue further upon finding out
that package access restrictions introduced in their internal build
of Java blocked our POC code for Issue 70.

Thank you.

-- 
Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] SE-2012-01-IBM-3, Issues 70-71
     http://www.security-explorations.com/materials/SE-2012-01-IBM-3.pdf
[2] SE-2012-01 Vendors status
     http://www.security-explorations.com/en/SE-2012-01-status.html


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ