<<< Date Index >>>     <<< Thread Index >>>

Covert Channels allow Cross-Site-Java in Microsoft VM



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi y'all,
I have not found the contact address for microsoft jvm
security issues, therefore maybe someone who reads
bugtraq can forward this:
in the Microsoft (R) VM for Java, 5.0 Release 5.0.0.3810
the implementation  of some core system classes allows to
create covert channels between applets that are
loaded from different websites (aka cross-site java).
As these applet they share a common class loader for
the system classes all public static (non-final)
fields can be used to create a covert channel in accordance
to the sandbox restriction and exchange cross-site
information. This may be used for security zone violation
and general data leakage.

When you load the two applets:

A:http://www.tauwerkkunst.de/javatest/SiteA/CovAppletFNMap.html

and

B:http://www.beauchamp.de/tauwerk/javatest/SiteA/CovAppletFNMap.html

you can use the commands

PUT/Key/Value  to create an entry in the shared hashtable of the applets
GET/Key to read an entry in the shared hashtable of the applets

'Key' and 'Value' are string values.

So if you PUT/TopScorer/Makaay in the lower textbox and press "Perform
Action" and then switch to applet B which has an identical look and enter
'GET/TopScorer' and "Perform Action" you will be prompted with 'Makaay',
which is an information that should only be known to applet A.

I think this is a major violation of sandbox constraints.

Sincerely
Marc

P.S: Read some more java stuff at www.illegalaccess.org




- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (AIX)

iD8DBQFA7/ggqCaQvrKNUNQRAifIAJ9deBwncOjGHVY10MFF20HmCjEjpgCeOydd
9tX6TX6j3CfFYgGeWJ8uD0k=
=Yp27
-----END PGP SIGNATURE-----