Hi Alla, Sun also applied the classloading fix to java.net.URLClassLoader, according to my jardiffer tool, which automatically finds the location of those fixes. I am waiting for the detailed paper of LSD, because loading the class is only a first tiny step to get real control, although if you load enough classes you have at least a Denial-of-Service. But I am sure they will have a good exploit in their sleeve. IMHO there already enough dangerous classes deployed in the rt.jar of the JDK. q.e.d. with the floppy hardware attack on IE& (http://www.illegalaccess.org/exploits/java/applet/MyFloppySucks.html) Marc P.S.: on Opera 7.21 , Java 1.4.2_02 enabled your applet just displays a gray box ..... On Tue, 28 Oct 2003, Alla Bezroutchko wrote: > Date: Tue, 28 Oct 2003 10:32:07 +0100 > From: Alla Bezroutchko <alla@scanit.be> > To: bugtraq@securityfocus.com > Subject: Re: [LSD] Security vulnerability in SUN's Java Virtual Machine > implementation > > > > Last Stage of Delirium wrote: > > Hello, > > > > We have found a security vulnerability in the SUN's implementation of the Java > > Virtual Machine, which affects the following SDK and JRE releases: > > - SDK and JRE 1.4.1_03 and earlier > > - SDK and JRE 1.3.1_08 and earlier > > - SDK and JRE 1.2.2_015 and earlier. > > The following applet tests for this vulnerability: > > ------------------------------------------------------------------ > import java.applet.Applet; > import java.awt.Graphics; > import java.lang.Class; > import java.security.AccessControlException; > > public class Simple extends Applet { > > StringBuffer buffer; > > public void init() { > buffer = new StringBuffer(); > } > > public void start() { > ClassLoader cl = this.getClass().getClassLoader(); > try { > Class cla = > cl.loadClass("sun/applet/AppletClassLoader"); // Note the slashes > addItem("No exception in loadClass. Vulnerable!"); > } catch (ClassNotFoundException e) { > addItem("ClassNotFoundException in loadClass - " + e); > } catch (AccessControlException e) { > addItem("AccessControlException in loadClass - Not > Vulnerable!"); > } > > } > > void addItem(String newWord) { > System.out.println(newWord); > buffer.append(newWord); > repaint(); > } > > public void paint(Graphics g) { > //Draw a Rectangle around the applet's display area. > g.drawRect(0, 0, size().width - 1, size().height - 1); > > //Draw the current string inside the rectangle. > g.drawString(buffer.toString(), 5, 15); > } > } > ---------------------------------------------------------------- > > This test can be found here: http://bcheck.scanit.be/bcheck/applet.html > > If Sun Java VM is installed, the applet runs and says if VM is > vulnerable or not. > > I am loading sun.applet.AppletClassLoader, but it could be any other > class from sun. package tree. > > I don't know how this bug is exploitable, because whenever I try to do > anything at all with a class loaded this way, for example, create an > instance of it or call methods, I get SecurityManager's exceptions. > Gotta wait patiently until LSD releases more details. > > I've tested Internet Explorer 6 and Mozilla Firebird. Internet Explorer > is exploitable if confgured to use Sun Java VM instead of Microsoft VM. > > Alla. > > -- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
