<<< Date Index >>>     <<< Thread Index >>>

Re: [LSD] Security vulnerability in SUN's Java Virtual Machine implementation





Last Stage of Delirium wrote:
Hello,

We have found a security vulnerability in the SUN's implementation of the Java
Virtual Machine, which affects the following SDK and JRE releases:
-   SDK and JRE 1.4.1_03 and earlier
-   SDK and JRE 1.3.1_08 and earlier
-   SDK and JRE 1.2.2_015 and earlier.

The following applet tests for this vulnerability:

------------------------------------------------------------------
import java.applet.Applet;
import java.awt.Graphics;
import java.lang.Class;
import java.security.AccessControlException;

public class Simple extends Applet {

    StringBuffer buffer;

    public void init() {
        buffer = new StringBuffer();
    }

    public void start() {
        ClassLoader cl = this.getClass().getClassLoader();
        try {
Class cla = cl.loadClass("sun/applet/AppletClassLoader"); // Note the slashes
                addItem("No exception in loadClass. Vulnerable!");
        } catch (ClassNotFoundException e) {
                addItem("ClassNotFoundException in loadClass - " + e);
        } catch (AccessControlException e) {
addItem("AccessControlException in loadClass - Not Vulnerable!");
        }

    }

    void addItem(String newWord) {
        System.out.println(newWord);
        buffer.append(newWord);
        repaint();
    }

    public void paint(Graphics g) {
        //Draw a Rectangle around the applet's display area.
        g.drawRect(0, 0, size().width - 1, size().height - 1);

        //Draw the current string inside the rectangle.
        g.drawString(buffer.toString(), 5, 15);
    }
}
----------------------------------------------------------------

This test can be found here: http://bcheck.scanit.be/bcheck/applet.html

If Sun Java VM is installed, the applet runs and says if VM is vulnerable or not.

I am loading sun.applet.AppletClassLoader, but it could be any other class from sun. package tree.

I don't know how this bug is exploitable, because whenever I try to do anything at all with a class loaded this way, for example, create an instance of it or call methods, I get SecurityManager's exceptions. Gotta wait patiently until LSD releases more details.

I've tested Internet Explorer 6 and Mozilla Firebird. Internet Explorer is exploitable if confgured to use Sun Java VM instead of Microsoft VM.

Alla.