Bugtraq mailing list archives

Re: New Java Security Flaw Found

From: garagan () borg cs dal ca (Sean Garagan)
Date: Tue, 21 Jul 1998 00:30:07 -0400

I thought this when I first read this report, but I then realized that the
report is a bit poorly written.  It describes a bug in Netscape's Java
implementation that allows an attacker take advantage of the ClassLoader
class in java.lang.  The problem with ClassLoader is it when a program
extends ClassLoader, it has no built in protection for the core Java
classes.  The Java team assumes that when you make your own ClassLoader, you
will add checks to see if a class is in java.* and load the local copy using
findSystemClass().  This also means that you can replace the core Java
classes by putting your own in the classpath before the actual ones, so if
your application allows you to specify the classpath, you can do whatever
you want.

I was actually quite surprised to see this when I wrote a ClassLoader a
while ago.  I had wrongly assumed Sun would hard code checks for the core
Java classes.  It looks like Sun relies on proper security implementations
to prevent the ClassLoader from being replaced.


Apologies for quoting the whole message, but I'm afraid that the
following will make even less sense without it:

The problem is somewhat worse than the above description; you don't
need any control over the CLASSPATH to implement the attack.  There
are three bugs in Netscape 4.0x: (1) Applets can create subclasses of
netscape.applet.AppletClassLoader -- Mark LaDue posted this one back
around April, but it didn't directly lead to an attack. (2) The system
classes aren't looked for _first_; therefore, they can be replaced.
(3) We found a new bug in Sun-derived JVM's (including Netscape's)
where replacing a system class leads to a type safety failure.

Combining these three problems allows us to cast ints to Objects and
vice versa.  This is sufficient to defeat all the security mechanisms
in the JVM.

Drew Dean http://www.cs.princeton.edu/~ddean ddean () cs princeton edu
Secure Internet Programming Group, Dept. of Computer Science, Princeton Univ.

Current thread:

Re: New Java Security Flaw Found Sean Garagan (Jul 20)
- <Possible follow-ups>
- Re: New Java Security Flaw Found Mikolaj J. Habryn (Jul 20)
- Re: New Java Security Flaw Found Steven M. Bellovin (Jul 21)