Full Disclosure mailing list archives
Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
From: Billy Rios <billy.rios () gmail com>
Date: Wed, 20 Oct 2010 14:29:46 -0700
In the patch for CVE-2008-5343 (GIFAR) Sun tightened their file parsing rules for remote JAR files, making it harder to smuggle JAR files onto the end of other filetypes. This makes it more difficult to create a GIF+JAR hybrid file. AFAIK, local JAR files were considered out of scope and will not be subject to the additional file parsing scrutiny. Sun/Oracle has not removed the ability to modify arbitrary HOST headers. So, if an attacker can upload a JAR file to a web app, they will have the ability to jump to any domain (virtual hosted or subdomain) that exists on the server. The cookies sent by the applet will be from the domain provided in the URL object, however the content returned by the server will be from the domain specified in the HOST header. This can cause havoc for places where separation relies on subdomains (like wordpress.com et al.) where users have by-design control of content on one subdomain and uses that content to target users on a different subdomain. Java also doesn't respect file extension, content-type, or content-disposition returned by the web server making it a bit easier to upload JAR files to unsuspecting web apps. BK On Wed, Oct 20, 2010 at 1:18 PM, Chris Evans <scarybeasts () gmail com> wrote:
On Wed, Oct 20, 2010 at 8:58 AM, Michal Zalewski <lcamtuf () coredump cx>wrote:Security-Assessment.com follows responsible disclosure and promptly contacted Oracle after discovering the issue. Oracle was contacted on August 1, 2010.My understanding is that Stefano Di Paola of Minded Security reported this back in April; and further, the feature was a part of reasonably well-documented functionality of Java pretty much ever since: http://download.oracle.com/javase/6/docs/api/java/net/URL.htmlThe Host: header trick was also used back in 2008 in Billy Rios' GIFAR attack -- to get around the fact that Picasa hosts images on a separate domain: http://xs-sniper.com/blog/2008/12/17/sun-fixes-gifars/ The blog post title was "SUN Fixes GIFARs", although it's not immediately obvious to me what was changed or fixed. If anyone knows what was changed back then and/or in this latest release, it would be interesting to see it documented. Cheers Chris"Two hosts are considered equivalent if both host names can be resolved into the same IP addresses" This was a pretty horrible design, so it's good to see it gone, though. /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Roberto Suggi Liverani (Oct 20)
- Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Stefano Di Paola (Oct 21)
- <Possible follow-ups>
- Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Michal Zalewski (Oct 20)
- Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Dan Kaminsky (Oct 20)
- Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Chris Evans (Oct 20)
- Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Billy Rios (Oct 21)
- Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Chris Evans (Oct 20)
- Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Roberto Suggi Liverani (Oct 20)
- Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Roberto Suggi Liverani (Oct 20)
- Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Early Warning (Oct 21)
- Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Stefano Di Paola (Oct 21)