SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Browser)  >   Microsoft Internet Explorer (IE) Vendors:   Microsoft
Microsoft Internet Explorer (IE) Java Class Loader Security Flaw Lets Remote Users Bypass Java Security Restrictions
SecurityTracker Alert ID:  1005699
SecurityTracker URL:  http://securitytracker.com/id/1005699
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 25 2002
Impact:   Execution of arbitrary code via network, User access via network

Version(s): 6.0 and prior versions
Description:   A vulnerability was reported in Microsoft Internet Explorer in the Java Virtual Machine (VM). A remote user can circumvent Java sandbox security controls and execute arbitrary code on the target user's system.

Last Stage of Delirium reported that there is a flaw in the protection of Class Loader objects provided in VM. A remote user can create a fully functioning instance of a Class Loader object from the untrusted code of a remote user's malicious applet.

A remote user can define a class that should not be permitted by the Bytecode Verifier. This class can invoke a default constructor of itself, which then calls another <init> method of that class. In the second constructor, a call to a super class's <init> method is made. This call is not permitted, as expected, because the remote user's code does not have the necessary privileges to create Class Loader objects. The result is a security exception. However, the security exception is caught by the code of the default constructor, and so the <init> method is successful.

According to the report, the VM checks to make sure that the invocation of a super class constructor is not embedded within an exception handler. But the authors of the report found that the code does not properly check the case where a call to this initialization method is invoked.

For additional information on this flaw, see the original report at:

http://lsd-pl.net/java_security.html

The vendor has reportedly been notified.

[Editor's note: This flaw is in the Microsoft VM component of IE, which is also distributed separately. Because of that, we are issuing one alert for VM and another alert for IE to ensure that you do not miss this bug.]
Impact:   A remote user can execute arbitrary code on the target user's computer with the privileges of the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Wed, 20 Nov 2002 18:44:18 -0800
Subject:  [LSD] Java and JVM security vulnerabilities



We would like to inform you about several security vulnerabilities in Java
Virtual Machine implementations that we have found during our research. These
vulnerabilities affect at least JVMs used in Netscape Communicator and Microsoft
Internet Explorer web browsers. Below you can find their brief descriptions:

[1] - JIT bug
      (it affects Netscape Communicator 4.0-4.8 on Win32/x86 platform)

      Its successfull exploitation allows for complete circumvention of the
      Java type safety rules. In a result of this, applet sandbox restrictions
      can be also escaped and malicious actions can be taken on the computer
      of the victim user.

[2] - Bytecode Verifier vulnerability
     (it affects Microsoft Internet Explorer 4.0-6.0 including VM build 3805)

      Its successfull exploitation allows for complete circumvention of the
      Java type safety rules. In a result of this, applet sandbox restrictions
      can be also escaped and malicious actions can be taken on the computer
      of the victim user.

[3] - Bytecode Verifier vulnerability
      (it affects SUN JDK 1.1-1.4, Netscape Communicator 4.0-4.8 on Win32
      and Unix systems)

      Its successfull exploitation allows to gain read and write access to
      local file system. It also allows to bypass applet sandbox restrictions
      with regard to network access (socket, bind, listen, accept and connect
      calls). On Win32 platform, this vulnerability can be exploited in such
      a way so that complete circumvention of the Java type safety rules can
      be done. In a result of this, applet sandbox restrictions can be also
      escaped and malicious actions can be taken on the computer of the victim
      user.

      Although this vulnerability also affects JDK 1.x from SUN, we haven't
      found a way to successfully exploit it under Netscape 6.x and
      Appletviewer.

[4] - Bad implementation of system classes
      (it affects Netscape Communicator 4.0-4.8 on Win32 and Unix systems)

      It allows for arbitrary loads of user provided libraries. When combined
      with the previous Bytecode Verifier vulnerability it can be used to
      deploy and execute arbitrary programs on the computer of the victim user.

More details with regard to each of the above vulnerabilities can be found in
our technical paper that can be downloaded from our website:

http://lsd-pl.net/java_security.html

This paper was published for the first time on October 3rd 2002. It was
presented during our talk at Asia Black Hat Briefings conference in Singapore.

Along with the paper, we also plan to release proof of concept codes for all
of the vulnerabilites that are discussed in it. But this will be done in about
1 week time from now.

On September 2nd we notified JVM vendors (SUN, Microsoft and Netscape) about
the vulnerabilities that we have found. Along with that we provided them with
a pre-release copy of our paper. Up to this time we have not received ANY
response from Microsoft as well as Netscape with regard to the reported issues
(vendors were given 30 days time to prepare patches). Only SUN replied to our
notification and informed us that proper patches would be prepared for these
issues.

We can understand why there was no response from Netscape since the three [1]
[3][4] vulnerabilities affecting Netscape web browser were submitted to the
Netscape Bug Bounty program which entitles 1000 USD for a security bug in
Netscape Communicator to its founder. Netscape seems to be another American
company that does not seem to be fulfilling public obligations made through
company's web pages (http://home.netscape.com/security/bugbounty.html). While
we were waiting for Netscape's reponse to our vulnerability report, Netscape
changed(!) Reward Guidelines of the Bug Bounty program so that now only bugs
in Netscape 7.x are rewarded (previously both latest 6.x and 4.8 versions were
taken into account). Nice move, huh ?

Netscape cannot of course beat Argus Systems who after 18 months still has not
paid us the remaining 45000 USD of the prize money won by us during the 5th
Argus Hacking Challenge (please see http://lsd-pl.net/argus.html for more
information on this subject).

Best Regards,
Members of LSD Research Group
http://lsd-pl.net


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC