Re: [LSD] Security vulnerability in SUN's Java Virtual Machine implementation

From: Alla Bezroutchko (alla_at_scanit.be)
Date: 10/28/03

  • Next message: Heikki Toivonen: "Re: Internet Explorer and Opera local zone restriction bypass"
    Date: Tue, 28 Oct 2003 10:32:07 +0100
    To: bugtraq@securityfocus.com
    
    

    Last Stage of Delirium wrote:
    > Hello,
    >
    > We have found a security vulnerability in the SUN's implementation of the Java
    > Virtual Machine, which affects the following SDK and JRE releases:
    > - SDK and JRE 1.4.1_03 and earlier
    > - SDK and JRE 1.3.1_08 and earlier
    > - SDK and JRE 1.2.2_015 and earlier.

    The following applet tests for this vulnerability:

    ------------------------------------------------------------------
    import java.applet.Applet;
    import java.awt.Graphics;
    import java.lang.Class;
    import java.security.AccessControlException;

    public class Simple extends Applet {

         StringBuffer buffer;

         public void init() {
             buffer = new StringBuffer();
         }

         public void start() {
             ClassLoader cl = this.getClass().getClassLoader();
             try {
                     Class cla =
    cl.loadClass("sun/applet/AppletClassLoader"); // Note the slashes
                     addItem("No exception in loadClass. Vulnerable!");
             } catch (ClassNotFoundException e) {
                     addItem("ClassNotFoundException in loadClass - " + e);
             } catch (AccessControlException e) {
                     addItem("AccessControlException in loadClass - Not
    Vulnerable!");
             }

         }

         void addItem(String newWord) {
             System.out.println(newWord);
             buffer.append(newWord);
             repaint();
         }

         public void paint(Graphics g) {
             //Draw a Rectangle around the applet's display area.
             g.drawRect(0, 0, size().width - 1, size().height - 1);

             //Draw the current string inside the rectangle.
             g.drawString(buffer.toString(), 5, 15);
         }
    }
    ----------------------------------------------------------------

    This test can be found here: http://bcheck.scanit.be/bcheck/applet.html

    If Sun Java VM is installed, the applet runs and says if VM is
    vulnerable or not.

    I am loading sun.applet.AppletClassLoader, but it could be any other
    class from sun. package tree.

    I don't know how this bug is exploitable, because whenever I try to do
    anything at all with a class loaded this way, for example, create an
    instance of it or call methods, I get SecurityManager's exceptions.
    Gotta wait patiently until LSD releases more details.

    I've tested Internet Explorer 6 and Mozilla Firebird. Internet Explorer
    is exploitable if confgured to use Sun Java VM instead of Microsoft VM.

    Alla.


  • Next message: Heikki Toivonen: "Re: Internet Explorer and Opera local zone restriction bypass"