-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Siva, thanks for the remarks, it seems that you did not open the window for the second applet with Ctrl+N, instead you used a second IE browser process which means that there is no shared JVM and therefore no shared java system fields which can be used as a covert channel. I added a screenshot to the demonstration page to show where to put the data, i must admit the form is lacking some userfriendliness. Your experiences are included in the updated text. Marc On Sat, 10 Jul 2004, Siva Subbu wrote: > Date: Sat, 10 Jul 2004 20:04:47 -0700 > From: Siva Subbu <sivasub23@xxxxxxxxxxx> > To: Marc Schoenefeld <schonef@xxxxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx > Subject: Re: Covert Channels allow Cross-Site-Java in Microsoft VM > > Hello Marc, > I tried to reproduce this but I couldn't. > I see a null pointer exception in the Java Console and I don't get the > contents in Applet B which were put in Applet A. > I get this error > Magath > Exception occurred during event dispatching: > java.lang.NullPointerException > at FNMAP.getContentTypeFor > at CovAppletFNMap$MyButtonListener.actionPerformed > at java/awt/Button.processActionEvent > at java/awt/Button.processEvent > at java/awt/Component.dispatchEventImpl > at java/awt/Component.dispatchEvent > at java/awt/EventDispatchThread.run > > Is there a problem with the repro code? > > Thanks, > H.K. > ----- Original Message ----- > From: "Marc Schoenefeld" <schonef@xxxxxxxxxxxxxxx> > To: <bugtraq@xxxxxxxxxxxxxxxxx> > Sent: Saturday, July 10, 2004 7:07 AM > Subject: Covert Channels allow Cross-Site-Java in Microsoft VM > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi y'all, > I have not found the contact address for microsoft jvm > security issues, therefore maybe someone who reads > bugtraq can forward this: > in the Microsoft (R) VM for Java, 5.0 Release 5.0.0.3810 > the implementation of some core system classes allows to > create covert channels between applets that are > loaded from different websites (aka cross-site java). > As these applet they share a common class loader for > the system classes all public static (non-final) > fields can be used to create a covert channel in accordance > to the sandbox restriction and exchange cross-site > information. This may be used for security zone violation > and general data leakage. > > When you load the two applets: > > A:http://www.tauwerkkunst.de/javatest/SiteA/CovAppletFNMap.html > > and > > B:http://www.beauchamp.de/tauwerk/javatest/SiteA/CovAppletFNMap.html > > you can use the commands > > PUT/Key/Value to create an entry in the shared hashtable of the applets > GET/Key to read an entry in the shared hashtable of the applets > > 'Key' and 'Value' are string values. > > So if you PUT/TopScorer/Makaay in the lower textbox and press "Perform > Action" and then switch to applet B which has an identical look and enter > 'GET/TopScorer' and "Perform Action" you will be prompted with 'Makaay', > which is an information that should only be known to applet A. > > I think this is a major violation of sandbox constraints. > > Sincerely > Marc > > P.S: Read some more java stuff at www.illegalaccess.org > > > > > - -- > > Never be afraid to try something new. Remember, amateurs built the > ark; professionals built the Titanic. -- Anonymous > > Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (AIX) > > iD8DBQFA7/ggqCaQvrKNUNQRAifIAJ9deBwncOjGHVY10MFF20HmCjEjpgCeOydd > 9tX6TX6j3CfFYgGeWJ8uD0k= > =Yp27 > -----END PGP SIGNATURE----- > - -- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (AIX) iD8DBQFA8PH4qCaQvrKNUNQRAvvhAJwIFiMtROZkWQVp4EwXBOUyzyyFBACfd8wc iLsS95yDJQN6tCo8NE6yRRM= =ZRtp -----END PGP SIGNATURE-----
