Sun Java Plugin arbitrary package access vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Sun Java Plugin arbitrary package access vulnerability
From: Jouko Pynnonen <jouko@xxxxxx>
Date: Tue, 23 Nov 2004 09:02:48 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.4i


OVERVIEW
========

Sun Microsystem's Java Plugin connects the Java technology to web 
browsers and allows the use of Java Applets. Java Plugin technology is 
available for numerous platforms and supports major web browsers.

A vulnerability in Java Plugin allows an attacker to create an Applet 
which can disable Java's security restrictions and break out of the 
Java sandbox. The attack can be launched when a victim views a web page 
created by the attacker. Further user interaction is not required as 
Java Applets are normally loaded and started automatically.

Such Applet can then take any action which the user could: browse, 
read, or modify files, upload more programs to the victim system and 
run them, or send out data from the system. Java is a cross-platform 
language so the same exploit could run on various OS'es and 
architectures.



DETAILS
=======

There is a number of private Java packages in the Java VM, meant to be 
used only by the VM internally. Java Applets can't normally access 
these packages because of security concerns. Attempting to access 
them normally results in an AccessControlException.

The problem is that JavaScript code can bypass the access control by 
using so called reflection API. The following piece of example 
JavaScript acquires a reference to a supposedly restricted, private 
class "sun.text.Utility":

 [script language=javascript]
 var c=document.applets[0].getClass().forName('sun.text.Utility');
 alert('got Class object: '+c)
 [/script]

This isn't possible by a normal Java Applet, and shouldn't be for 
JavaScript either. The JavaScript code could now instantiate the class 
or pass it to an Applet that could use it.

An attacker can't do much with the utility class in this example, but 
could use other private classes to exploit the vulnerability. Some of 
them allow e.g. direct access to memory or methods for modifying 
private fields of Java objects. The latter allows an attacker 
to simply turn off the Java security manager, after which there is no 
sandbox restricting what the Applet can do.



VULNERABLE VERSIONS
===================

The Java Plugin versions 1.4.2_04 and 1.4.2_05 were tested on Windows 
and Linux. Web browsers tested were Microsoft Internet Explorer, 
Mozilla Firefox and Opera. It should be noted that Opera uses a 
different way of connecting JavaScript and Java which caused the test 
exploit not to work on Opera. However the problem itself (access to 
private packages) was demonstrated on Opera too, so it may be 
vulnerable to a variation of the exploit.



SOLUTION
========

Sun Microsystems was informed on April 29, 2004 and has fixed the 
problem in J2SE 1.4.2_06, available at

  http://java.sun.com/j2se/1.4.2/download.html



CREDITS
=======

The vulnerability was discovered and researched by Jouko Pynnonen, 
Finland.



-- 
Jouko Pynnönen          Web: http://iki.fi/jouko/
jouko@xxxxxx

Follow-Ups:
- Re: Sun Java Plugin arbitrary package access vulnerability
  - From: Alla Bezroutchko
- Re: Sun Java Plugin arbitrary package access vulnerability
  - From: Ken S

Prev by Date: Re: Changes to the filesystem while find is running - comments?
Next by Date: [CLA-2004:894] Conectiva Security Announcement - shadow-utils
Previous by thread: Broadcast memory corruption in Soldier of Fortune II 1.03
Next by thread: Re: Sun Java Plugin arbitrary package access vulnerability
Index(es):
- Date
- Thread