exploit the possibilities

microsoft.vm.java.txt

microsoft.vm.java.txt
Posted Feb 1, 2000
Authored by Hiromitsu Takagi

Another security hole in Microsoft Virtual Machine for Java has been discovered that allows a java applet to read any file on the system. This vulnerability is quite dangerous and immediate de-activation of the IE Java function provided by Microsoft is highly recommended.

tags | exploit, java
MD5 | c1b9ebcc8306eb8d2e2890f8e119816c

microsoft.vm.java.txt

Change Mirror Download


Jan 28, 2000

Translator's note:
We announce another security hole of Microsoft Virtual Machine$B!!(B
(Microsoft VM) for Java, including the latest version. This is the
translation version of the warning note (written in Japanese) by Dr.
Hiromitsu Takagi posted at the Java House Mailing List, a Japanese Java
user discussion site (http://java-house.etl.go.jp/ml/ . Japanese fonts
required to display). The finding is summarized after numerical tests
and discussion among the members. Mr. Kensuke Tada originated the
discussion. The translation is made available by Dr. Tomohira Tabata
(ttabata@ucsd.edu) for his friends and others who may be benefit from
the information. Please note that Dr. Tomohira Tabata has no
responsibility on mistranslation on this document.

The finding is:

This security vulnerability allows a Java applet to read out any files
on certain directories. A simple code attacks the security hole. Since
a beginning Java programmer can exercise one, all users should be
noted. Its vulnerability is quite dangerous and immediate de-activation
of IE Java function provided by Microsoft is highly recommended;
possibly changing to Netscape Navigator, Communicator or Sun Java
Plug-in by the time Microsoft providing a "fix".

The body of the warning note by Dr. Hiromitsu Takagi:
----------------------------------------------------------------------------------------------------------

This is a warning for all users of Microsoft Internet Explorer version 4
and 5 (IE4, IE5) for Microsoft Windows95/98/NT.

This security hole is closely CLASSPATH for Java users and especially for the Java Developer; the note
is posted.


Vulnerability
-------------

This security vulnerability allows a Java applet to read any "known
files", which are common to most configuration. A hosted web site is
able to retrieve file information through the applet code automaticallyspecific files which popular applications hold, and files with common
names which users occasionally choose,
This does not allow any change or deletion of local files. We still
believe this vulnerability is quite dan
Detail description
------------------

The readable directories and their sub directories could be limited,will be read,
Except of Windows NT that is home directory of each user profile set.

C:\Windows\desktoWe suspect this variation comes from the version of Microsoft VM for
Java, not the version of IE.

Unfortunately as a much serious case, if you set the environment
variable CLASSPATH at C:\AUTOEXEC.BAT, the files and directories under
the directories set in CLASSPATH are all readable.

Java programmers should be aware of tfor their applications.


How to be attacked
------------------

You may get attacked indeed just accessing
When accessing the web site, the applet is downloaded and invoked on
your computer, and then sends files on
InputStream is = ClassLoader.getSystemResourceAsStream(filename);

This single line makes an applet read an email.

There would be already such an applet made by a malicious programmer,
and placed on a web page in secret.


Demonstration of attacking the security hole
--------------------------------------------

You can try a demonstration applet on the following URL, (don't worry,
it just reads you back your e.g. autoexec.bwill see the content with specifying the file name with the directory
name.

When you receive the message "to read or find the specified file. However, this might means only that
the applet searched the different d
Work-around
-----------

Stop Microsoft's Java function until a patch provided.

Instruction for IE4 users:

Follow "View" menu, "Internet Options...", "Security" tab, "Custom (for
expert users)", and "Setting..." bAlternative for utilizing Java:

- Use Netscape Navigator or Communicator instead of IE.
- Use Sun Java Plug-in for IE. See
http://java.sun.com/products/plugin/index.html


List of vulnerable applications with versiothe members
------------------------------------------------------------------------------------

Microsoft (R) VM for Java, 5.0 Release 5.0.0.3234 (the latest version,
as of Jan 28, 2000) and earlier

Note that no sNo. This is a simple mis-implementation (a bug) of Microsoft Java VM. It
does NOT mean Java has a structural
Motivation of this note
-----------------------

We are aware that full disclosure of security holes informpeople informed. After fighting this dilemma, we believe the benefit of
users, such as awareness of existing(See the following URLs).
http://www.news.com/News/Item/0,4,41084,00.html?feed.cnetbriefs
http://news.cnet.c
- This issue is already known by thousands of members of our mailing
list. Even if we hid the code, anyone them to provide a patch immediately, and to announce it on media such as
newspaper so that all of Windows us
The following is the Microsoft's response;

-- Due to development issue, we can not guarantee to fix it as From this answer, we could not be convinced if users get secured soon.
In addition, they mentioned they coulthis issue to Java communities. (Translator's note: Dr. Takagi gave
Microsoft Corp. in Japan a call on Jan 2Acknowledgement
---------------

This security hole is happened to be found when we discussed programming
method to read files on Jar archives. As a start point, Mr. Tada
reported his applet read files on Desktop unereport, Mr. Amemiya indicated it was a security hole. I, Dr. Takagi,
reported readable directories were not

Related articles
----------------
[j-h-b:30281] [j-h-b:30283] [j-h-b:30284] [j-h-b:30285] [j-h-b:30303]
[j-h-b:30321] [j-h-b:30323] [j-h-b:30324] [j-h-b:30325] [j-h-b:30327]
[j-h-b:30331] [j-h-b:30332] [j-h-b:30333] [j-h-b:30334] [j-h-b:30338]
[j-h-b:30351] [j-h-b:30352] [j-h-b:30353] [j-h-b:30354] [j-h-b:30355]
[j-h-b:3http://www.etl.go.jp/~takagi/




Acknowledgement from translator
-------------------------------

I would like to thank Dr. Hiromitsu Takagi (takagi@etl.go.jp) and Mr.
Ryoji Sumida (ryo@idt.net) for kind helps.

Tomohira Tabata (ttabata@ucsd.edu), Ph.D., postgraduate research
engineer,
ECE UCSD, 9500 Gilman Drive, La Jolla, CA 92093-0407, USA

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close