exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

sunjava.txt

sunjava.txt
Posted Dec 11, 2004
Authored by Jouko Pynnonen | Site klikki.fi

A vulnerability in Java Plugin allows an attacker to create an Applet which can disable Java's security restrictions and break out of the Java sandbox. The attack can be launched when a victim views a web page created by the attacker. Further user interaction is not required as Java Applets are normally loaded and started automatically. Versions affected are below 1.4.2_06.

tags | advisory, java, web
SHA-256 | 3fc1aebf9c24ebd6d4a7590deec5c1bd21fa4d2e6d42b587ee39c12de45f3036

sunjava.txt

Change Mirror Download


OVERVIEW
========

Sun Microsystem's Java Plugin connects the Java technology to web
browsers and allows the use of Java Applets. Java Plugin technology is
available for numerous platforms and supports major web browsers.

A vulnerability in Java Plugin allows an attacker to create an Applet
which can disable Java's security restrictions and break out of the
Java sandbox. The attack can be launched when a victim views a web page
created by the attacker. Further user interaction is not required as
Java Applets are normally loaded and started automatically.

Such Applet can then take any action which the user could: browse,
read, or modify files, upload more programs to the victim system and
run them, or send out data from the system. Java is a cross-platform
language so the same exploit could run on various OS'es and
architectures.



DETAILS
=======

There is a number of private Java packages in the Java VM, meant to be
used only by the VM internally. Java Applets can't normally access
these packages because of security concerns. Attempting to access
them normally results in an AccessControlException.

The problem is that JavaScript code can bypass the access control by
using so called reflection API. The following piece of example
JavaScript acquires a reference to a supposedly restricted, private
class "sun.text.Utility":

[script language=javascript]
var c=document.applets[0].getClass().forName('sun.text.Utility');
alert('got Class object: '+c)
[/script]

This isn't possible by a normal Java Applet, and shouldn't be for
JavaScript either. The JavaScript code could now instantiate the class
or pass it to an Applet that could use it.

An attacker can't do much with the utility class in this example, but
could use other private classes to exploit the vulnerability. Some of
them allow e.g. direct access to memory or methods for modifying
private fields of Java objects. The latter allows an attacker
to simply turn off the Java security manager, after which there is no
sandbox restricting what the Applet can do.



VULNERABLE VERSIONS
===================

The Java Plugin versions 1.4.2_04 and 1.4.2_05 were tested on Windows
and Linux. Web browsers tested were Microsoft Internet Explorer,
Mozilla Firefox and Opera. It should be noted that Opera uses a
different way of connecting JavaScript and Java which caused the test
exploit not to work on Opera. However the problem itself (access to
private packages) was demonstrated on Opera too, so it may be
vulnerable to a variation of the exploit.



SOLUTION
========

Sun Microsystems was informed on April 29, 2004 and has fixed the
problem in J2SE 1.4.2_06, available at

http://java.sun.com/j2se/1.4.2/download.html



CREDITS
=======

The vulnerability was discovered and researched by Jouko Pynnonen,
Finland.



--
Jouko Pynnönen Web: http://iki.fi/jouko/
jouko@iki.fi

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close