Re: Covert Channels allow Cross-Site-Java in Microsoft VM

From: Siva Subbu (sivasub23_at_hotmail.com)
Date: 07/11/04

  • Next message: Paul: "MSOE Javascript Execution Vulnerability"
    To: "Marc Schoenefeld" <schonef@uni-muenster.de>, <bugtraq@securityfocus.com>
    Date: Sat, 10 Jul 2004 20:04:47 -0700
    
    

    Hello Marc,
    I tried to reproduce this but I couldn't.
    I see a null pointer exception in the Java Console and I don't get the
    contents in Applet B which were put in Applet A.
    I get this error
    Magath
    Exception occurred during event dispatching:
    java.lang.NullPointerException
     at FNMAP.getContentTypeFor
     at CovAppletFNMap$MyButtonListener.actionPerformed
     at java/awt/Button.processActionEvent
     at java/awt/Button.processEvent
     at java/awt/Component.dispatchEventImpl
     at java/awt/Component.dispatchEvent
     at java/awt/EventDispatchThread.run

    Is there a problem with the repro code?

    Thanks,
    H.K.
    ----- Original Message -----
    From: "Marc Schoenefeld" <schonef@uni-muenster.de>
    To: <bugtraq@securityfocus.com>
    Sent: Saturday, July 10, 2004 7:07 AM
    Subject: Covert Channels allow Cross-Site-Java in Microsoft VM

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hi y'all,
    I have not found the contact address for microsoft jvm
    security issues, therefore maybe someone who reads
    bugtraq can forward this:
    in the Microsoft (R) VM for Java, 5.0 Release 5.0.0.3810
    the implementation of some core system classes allows to
    create covert channels between applets that are
    loaded from different websites (aka cross-site java).
    As these applet they share a common class loader for
    the system classes all public static (non-final)
    fields can be used to create a covert channel in accordance
    to the sandbox restriction and exchange cross-site
    information. This may be used for security zone violation
    and general data leakage.

    When you load the two applets:

    A:http://www.tauwerkkunst.de/javatest/SiteA/CovAppletFNMap.html

    and

    B:http://www.beauchamp.de/tauwerk/javatest/SiteA/CovAppletFNMap.html

    you can use the commands

    PUT/Key/Value to create an entry in the shared hashtable of the applets
    GET/Key to read an entry in the shared hashtable of the applets

    'Key' and 'Value' are string values.

    So if you PUT/TopScorer/Makaay in the lower textbox and press "Perform
    Action" and then switch to applet B which has an identical look and enter
    'GET/TopScorer' and "Perform Action" you will be prompted with 'Makaay',
    which is an information that should only be known to applet A.

    I think this is a major violation of sandbox constraints.

    Sincerely
    Marc

    P.S: Read some more java stuff at www.illegalaccess.org

    - --

    Never be afraid to try something new. Remember, amateurs built the
    ark; professionals built the Titanic. -- Anonymous

    Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (AIX)

    iD8DBQFA7/ggqCaQvrKNUNQRAifIAJ9deBwncOjGHVY10MFF20HmCjEjpgCeOydd
    9tX6TX6j3CfFYgGeWJ8uD0k=
    =Yp27
    -----END PGP SIGNATURE-----


  • Next message: Paul: "MSOE Javascript Execution Vulnerability"

    Relevant Pages

    • Technical information about the vulnerabilities fixed by MS-02-52
      ... The patch doesn't fix all of the vulnerabilities we reported, ... Java support in the Internet Zone even after applying the patch gives the ... possibility for a malicious Java Applet to gain control over the system. ... Our original report and information regarding the remaining Java ...
      (NT-Bugtraq)
    • Technical information about the vulnerabilities fixed by MS-02-52
      ... The patch doesn't fix all of the vulnerabilities we reported, ... Java support in the Internet Zone even after applying the patch gives the ... possibility for a malicious Java Applet to gain control over the system. ... Our original report and information regarding the remaining Java ...
      (Bugtraq)
    • [Full-Disclosure] Technical information about the vulnerabilities fixed by MS-02-52
      ... The patch doesn't fix all of the vulnerabilities we reported, ... Java support in the Internet Zone even after applying the patch gives the ... possibility for a malicious Java Applet to gain control over the system. ... Our original report and information regarding the remaining Java ...
      (Full-Disclosure)
    • Re: little red Xs
      ... > Red X image displayed where the applet should be, ... > Make sure to uninstall the old version of Java first. ... > Microsoft Newsgroups ... I do not see the radar image only a ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: Java Question
      ... if the anfy applet works for you then I don't know why the game ... I'm a little unclear about part of your instructions to go to my Java ... message that I need to download and install Macromedia Flash Player (which I ...
      (microsoft.public.windowsxp.general)