Re: Sun Java Plugin arbitrary package access vulnerability

["Rob Carmichael" <robc () globalvc co uk>]

Phil,

So is the built in 'update' feature in the JVM, however the link mentioned
in the advisory works fine.

regards,
Rob

----- Original Message ----- 
From: "Randal, Phil" <prandal () herefordshire gov uk>
To: <full-disclosure () netsys com>
Sent: Tuesday, November 23, 2004 11:50 AM
Subject: RE: [Full-disclosure] Sun Java Plugin arbitrary package access
vulnerability


> FYI,  www.java.com is still dishing out 1.4.2_05
>
> Phil
>
> ----
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK
>
> > -----Original Message-----
> > From: full-disclosure-admin () lists netsys com
> > [mailto:full-disclosure-admin () lists netsys com] On Behalf Of
> > Jouko Pynnonen
> > Sent: 23 November 2004 01:40
> > To: full-disclosure () netsys com
> > Subject: [Full-disclosure] Sun Java Plugin arbitrary package
> > access vulnerability
> >
> >
> >
> > OVERVIEW
> > ========
> >
> > Sun Microsystem's Java Plugin connects the Java technology to
> > web browsers and allows the use of Java Applets. Java Plugin
> > technology is available for numerous platforms and supports
> > major web browsers.
> >
> > A vulnerability in Java Plugin allows an attacker to create
> > an Applet which can disable Java's security restrictions and
> > break out of the Java sandbox. The attack can be launched
> > when a victim views a web page created by the attacker.
> > Further user interaction is not required as Java Applets are
> > normally loaded and started automatically.
> >
> > Such Applet can then take any action which the user could:
> > browse, read, or modify files, upload more programs to the
> > victim system and run them, or send out data from the system.
> > Java is a cross-platform language so the same exploit could
> > run on various OS'es and architectures.
> >
> >
> >
> > DETAILS
> > =======
> >
> > There is a number of private Java packages in the Java VM,
> > meant to be used only by the VM internally. Java Applets
> > can't normally access these packages because of security
> > concerns. Attempting to access them normally results in an
> > AccessControlException.
> >
> > The problem is that JavaScript code can bypass the access
> > control by using so called reflection API. The following
> > piece of example JavaScript acquires a reference to a
> > supposedly restricted, private class "sun.text.Utility":
> >
> >  [script language=javascript]
> >  var c=document.applets[0].getClass().forName('sun.text.Utility');
> >  alert('got Class object: '+c)
> >  [/script]
> >
> > This isn't possible by a normal Java Applet, and shouldn't be
> > for JavaScript either. The JavaScript code could now
> > instantiate the class or pass it to an Applet that could use it.
> >
> > An attacker can't do much with the utility class in this
> > example, but could use other private classes to exploit the
> > vulnerability. Some of them allow e.g. direct access to
> > memory or methods for modifying private fields of Java
> > objects. The latter allows an attacker to simply turn off the
> > Java security manager, after which there is no sandbox
> > restricting what the Applet can do.
> >
> >
> >
> > VULNERABLE VERSIONS
> > ===================
> >
> > The Java Plugin versions 1.4.2_04 and 1.4.2_05 were tested on
> > Windows and Linux. Web browsers tested were Microsoft
> > Internet Explorer, Mozilla Firefox and Opera. It should be
> > noted that Opera uses a different way of connecting
> > JavaScript and Java which caused the test exploit not to work
> > on Opera. However the problem itself (access to private
> > packages) was demonstrated on Opera too, so it may be
> > vulnerable to a variation of the exploit.
> >
> >
> >
> > SOLUTION
> > ========
> >
> > Sun Microsystems was informed on April 29, 2004 and has fixed
> > the problem in J2SE 1.4.2_06, available at
> >
> >   http://java.sun.com/j2se/1.4.2/download.html
> >
> >
> >
> > CREDITS
> > =======
> >
> > The vulnerability was discovered and researched by Jouko
> > Pynnonen, Finland.
> >
> >
> >
> > -- 
> > Jouko Pynnönen          Web: http://iki.fi/jouko/
> > jouko () iki fi
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html