Re: Sun Java Plugin arbitrary package access vulnerability

[Alla Bezroutchko <alla () scanit be>]

Jouko Pynnonen wrote:

> A vulnerability in Java Plugin allows an attacker to create an Applet 
> which can disable Java's security restrictions and break out of the 
> Java sandbox.

<skip>

> The Java Plugin versions 1.4.2_04 and 1.4.2_05 were tested on Windows 
> and Linux. Web browsers tested were Microsoft Internet Explorer, 
> Mozilla Firefox and Opera. It should be noted that Opera uses a 
> different way of connecting JavaScript and Java which caused the test 
> exploit not to work on Opera. However the problem itself (access to 
> private packages) was demonstrated on Opera too, so it may be 
> vulnerable to a variation of the exploit.

As noted by rodmoses(at)yahoo(dot)com Opera remains vulnerable even 
after the upgrade of JVM to version 1.4.2_06. (tested on Windows XP SP2, 
Opera 7.54, J2SE 1.4.2_06).

According to Jouko, Opera does not use Java plugin, but has its own 
interface to Java. The fact that the problem is still present after JVM 
upgrade probably means that there is an independent  bug in Opera Java 
interface which has the same effect as the bug in Sun Java Plugin.

AFAIK there is no fix for Opera yet. I have reported this bug to Opera 
through their web interface (bug-158156).

There is an online test for this bug at Browser Security Test 
(http://bcheck.scanit.be/bcheck/). Go to 
http://bcheck.scanit.be/bcheck/choosetests.php if you only want to run 
the test for this particular bug.

Alla.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html