Re: Covert Channels allow Cross-Site-Java in Microsoft VM
From: Siva Subbu (sivasub23_at_hotmail.com)
To: "Marc Schoenefeld" <email@example.com>, <firstname.lastname@example.org> Date: Sat, 10 Jul 2004 20:04:47 -0700
I tried to reproduce this but I couldn't.
I see a null pointer exception in the Java Console and I don't get the
contents in Applet B which were put in Applet A.
I get this error
Exception occurred during event dispatching:
Is there a problem with the repro code?
----- Original Message -----
From: "Marc Schoenefeld" <email@example.com>
Sent: Saturday, July 10, 2004 7:07 AM
Subject: Covert Channels allow Cross-Site-Java in Microsoft VM
-----BEGIN PGP SIGNED MESSAGE-----
I have not found the contact address for microsoft jvm
security issues, therefore maybe someone who reads
bugtraq can forward this:
in the Microsoft (R) VM for Java, 5.0 Release 126.96.36.19910
the implementation of some core system classes allows to
create covert channels between applets that are
loaded from different websites (aka cross-site java).
As these applet they share a common class loader for
the system classes all public static (non-final)
fields can be used to create a covert channel in accordance
to the sandbox restriction and exchange cross-site
information. This may be used for security zone violation
and general data leakage.
When you load the two applets:
you can use the commands
PUT/Key/Value to create an entry in the shared hashtable of the applets
GET/Key to read an entry in the shared hashtable of the applets
'Key' and 'Value' are string values.
So if you PUT/TopScorer/Makaay in the lower textbox and press "Perform
Action" and then switch to applet B which has an identical look and enter
'GET/TopScorer' and "Perform Action" you will be prompted with 'Makaay',
which is an information that should only be known to applet A.
I think this is a major violation of sandbox constraints.
P.S: Read some more java stuff at www.illegalaccess.org
Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous
Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (AIX)
-----END PGP SIGNATURE-----