85339 2002-11-25 20:35 /88 rader/ Last Stage of Delirium <contact@lsd-pl.net>
Importerad: 2002-11-25 20:35 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <2529>
Ärende: [LSD] Java and JVM security vulnerabilities
------------------------------------------------------------
We would like to inform you about several security vulnerabilities in
Java Virtual Machine implementations that we have found during our
research. These vulnerabilities affect at least JVMs used in Netscape
Communicator and Microsoft Internet Explorer web browsers. Below you
can find their brief descriptions:
[1] - JIT bug
(it affects Netscape Communicator 4.0-4.8 on Win32/x86 platform)
Its successfull exploitation allows for complete circumvention
of the Java type safety rules. In a result of this, applet
sandbox restrictions can be also escaped and malicious actions
can be taken on the computer of the victim user.
[2] - Bytecode Verifier vulnerability
(it affects Microsoft Internet Explorer 4.0-6.0 including VM build 3805)
Its successfull exploitation allows for complete circumvention
of the Java type safety rules. In a result of this, applet
sandbox restrictions can be also escaped and malicious actions
can be taken on the computer of the victim user.
[3] - Bytecode Verifier vulnerability
(it affects SUN JDK 1.1-1.4, Netscape Communicator 4.0-4.8 on Win32
and Unix systems)
Its successfull exploitation allows to gain read and write
access to local file system. It also allows to bypass applet
sandbox restrictions with regard to network access (socket,
bind, listen, accept and connect calls). On Win32 platform,
this vulnerability can be exploited in such a way so that
complete circumvention of the Java type safety rules can be
done. In a result of this, applet sandbox restrictions can be
also escaped and malicious actions can be taken on the computer
of the victim user.
Although this vulnerability also affects JDK 1.x from SUN, we
haven't found a way to successfully exploit it under Netscape
6.x and Appletviewer.
[4] - Bad implementation of system classes
(it affects Netscape Communicator 4.0-4.8 on Win32 and Unix systems)
It allows for arbitrary loads of user provided libraries. When
combined with the previous Bytecode Verifier vulnerability it
can be used to deploy and execute arbitrary programs on the
computer of the victim user.
More details with regard to each of the above vulnerabilities can be
found in our technical paper that can be downloaded from our website:
http://lsd-pl.net/java_security.html
This paper was published for the first time on October 3rd 2002. It
was presented during our talk at Asia Black Hat Briefings conference
in Singapore.
Along with the paper, we also plan to release proof of concept codes
for all of the vulnerabilites that are discussed in it. But this will
be done in about 1 week time from now.
On September 2nd we notified JVM vendors (SUN, Microsoft and
Netscape) about the vulnerabilities that we have found. Along with
that we provided them with a pre-release copy of our paper. Up to
this time we have not received ANY response from Microsoft as well as
Netscape with regard to the reported issues (vendors were given 30
days time to prepare patches). Only SUN replied to our notification
and informed us that proper patches would be prepared for these
issues.
We can understand why there was no response from Netscape since the
three [1] [3][4] vulnerabilities affecting Netscape web browser were
submitted to the Netscape Bug Bounty program which entitles 1000 USD
for a security bug in Netscape Communicator to its founder. Netscape
seems to be another American company that does not seem to be
fulfilling public obligations made through company's web pages
(http://home.netscape.com/security/bugbounty.html). While we were
waiting for Netscape's reponse to our vulnerability report, Netscape
changed(!) Reward Guidelines of the Bug Bounty program so that now
only bugs in Netscape 7.x are rewarded (previously both latest 6.x
and 4.8 versions were taken into account). Nice move, huh ?
Netscape cannot of course beat Argus Systems who after 18 months
still has not paid us the remaining 45000 USD of the prize money won
by us during the 5th Argus Hacking Challenge (please see
http://lsd-pl.net/argus.html for more information on this subject).
Best Regards,
Members of LSD Research Group
http://lsd-pl.net
(85339) /Last Stage of Delirium <contact@lsd-pl.net>/(Ombruten)
85441 2002-11-27 10:23 /30 rader/ Jouko Pynnonen <jouko@solutions.fi>
Importerad: 2002-11-27 10:23 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <2545>
Ärende: Netscape 4 Java buffer overflow
------------------------------------------------------------
The Java implementation of Netscape 4 contains a buffer overflow
vulnerability. Arbitrary code may be run on a Netscape user's system
when a web page containing a malicious applet is viewed.
The buffer overflow happens in the method canConvert() of the class
sun.awt.windows.WDefaultFontCharset. An applet may trigger the
overflow by passing a long string to the constructor of the class
and invoking the method canConvert() on the created instance. In
Java:
new WDefaultFontCharset(long_string).canConvert('x');
The vulnerability is trivial case of buffer overflow. Its
exploitability has been confirmed with an exploit which runs a program
when a web page is viewed.
Netscape 4 has a very limited user base nowadays. Other Netscape
versions use Sun Microsystem's Java Plug-in so they aren't
vulnerable. This vulnerability only affects the Windows platform
which limits the number of vulnerable systems further. The
vulnerability doesn't appear exploitable on other browsers. Netscape
and Sun Microsystems were informed about the problem in August
2002. Netscape 4 users can protect themselves from the flaw by
disabling Java in Preferences.
Jouko Pynnönen
jouko@solutions.fi
(85441) /Jouko Pynnonen <jouko@solutions.fi>/(Ombruten)