Re: [LSD] Security vulnerability in SUN's Java Virtual Machine implementation

From: Alla Bezroutchko (alla_at_scanit.be)
Date: 10/28/03

  • Next message: Heikki Toivonen: "Re: Internet Explorer and Opera local zone restriction bypass"
    Date: Tue, 28 Oct 2003 10:32:07 +0100
    To: bugtraq@securityfocus.com
    
    

    Last Stage of Delirium wrote:
    > Hello,
    >
    > We have found a security vulnerability in the SUN's implementation of the Java
    > Virtual Machine, which affects the following SDK and JRE releases:
    > - SDK and JRE 1.4.1_03 and earlier
    > - SDK and JRE 1.3.1_08 and earlier
    > - SDK and JRE 1.2.2_015 and earlier.

    The following applet tests for this vulnerability:

    ------------------------------------------------------------------
    import java.applet.Applet;
    import java.awt.Graphics;
    import java.lang.Class;
    import java.security.AccessControlException;

    public class Simple extends Applet {

         StringBuffer buffer;

         public void init() {
             buffer = new StringBuffer();
         }

         public void start() {
             ClassLoader cl = this.getClass().getClassLoader();
             try {
                     Class cla =
    cl.loadClass("sun/applet/AppletClassLoader"); // Note the slashes
                     addItem("No exception in loadClass. Vulnerable!");
             } catch (ClassNotFoundException e) {
                     addItem("ClassNotFoundException in loadClass - " + e);
             } catch (AccessControlException e) {
                     addItem("AccessControlException in loadClass - Not
    Vulnerable!");
             }

         }

         void addItem(String newWord) {
             System.out.println(newWord);
             buffer.append(newWord);
             repaint();
         }

         public void paint(Graphics g) {
             //Draw a Rectangle around the applet's display area.
             g.drawRect(0, 0, size().width - 1, size().height - 1);

             //Draw the current string inside the rectangle.
             g.drawString(buffer.toString(), 5, 15);
         }
    }
    ----------------------------------------------------------------

    This test can be found here: http://bcheck.scanit.be/bcheck/applet.html

    If Sun Java VM is installed, the applet runs and says if VM is
    vulnerable or not.

    I am loading sun.applet.AppletClassLoader, but it could be any other
    class from sun. package tree.

    I don't know how this bug is exploitable, because whenever I try to do
    anything at all with a class loaded this way, for example, create an
    instance of it or call methods, I get SecurityManager's exceptions.
    Gotta wait patiently until LSD releases more details.

    I've tested Internet Explorer 6 and Mozilla Firebird. Internet Explorer
    is exploitable if confgured to use Sun Java VM instead of Microsoft VM.

    Alla.


  • Next message: Heikki Toivonen: "Re: Internet Explorer and Opera local zone restriction bypass"

    Relevant Pages

    • Re: How Many Browsers Support Java 1.4?
      ... > Then that administrator is not doing their job and should be fired. ... ``Sun Fixes Critical Java Plug-In Flaws ... A pair of vulnerabilities in the Sun Java Plug-In technology could put ... vulnerabilities could allow an untrusted applet to elevate privileges ...
      (comp.lang.java.help)
    • Re: Browser tags for an applet
      ... | I made a java applet for a commercial website. ... | prompt the user to get Sun Java with the nice Sun Java ... You can instead use the applet tag (rather than ...
      (comp.lang.java.help)
    • Re: Browser tags for an applet
      ... The applet is ... | | prompt the user to get Sun Java with the nice Sun Java ... | You can instead use the applet tag (rather than ...
      (comp.lang.java.help)
    • Re: [LSD] Security vulnerability in SUNs Java Virtual Machine implementation
      ... Java HotSpotClient VM ... The following applet tests for this vulnerability: ... is exploitable if confgured to use Sun Java VM instead of Microsoft ...
      (Bugtraq)
    • [Full-disclosure] [SECURITY] [DSA 2420-1] openjdk-6 security update
      ... Several vulnerabilities have been discovered in OpenJDK, ... The Java Sound component did not properly check for array ... of service vulnerability involving hash collisions. ... applet to set a new default time zone. ...
      (Full-Disclosure)