Re: Covert Channels allow Cross-Site-Java in Microsoft VM

[Marc Schoenefeld <schonef () uni-muenster de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Siva,

thanks for the remarks,
it seems that you did not open the window for the
second applet with Ctrl+N, instead you used a
second IE browser process which means that there is no
shared JVM and therefore no shared java system fields
which can be used as a covert channel.

I added a screenshot to the demonstration page to show
where to put the data, i must admit the form is lacking
some userfriendliness. Your experiences are included
in the updated text.

Marc


On Sat, 10 Jul 2004, Siva Subbu wrote:

> Date: Sat, 10 Jul 2004 20:04:47 -0700
> From: Siva Subbu <sivasub23 () hotmail com>
> To: Marc Schoenefeld <schonef () uni-muenster de>, bugtraq () securityfocus com
> Subject: Re: Covert Channels allow Cross-Site-Java in Microsoft VM
>
> Hello Marc,
> I tried to reproduce this but I couldn't.
> I see a null pointer exception in the Java Console and I don't get the
> contents in Applet B which were put in Applet A.
> I get this error
> Magath
> Exception occurred during event dispatching:
> java.lang.NullPointerException
>  at FNMAP.getContentTypeFor
>  at CovAppletFNMap$MyButtonListener.actionPerformed
>  at java/awt/Button.processActionEvent
>  at java/awt/Button.processEvent
>  at java/awt/Component.dispatchEventImpl
>  at java/awt/Component.dispatchEvent
>  at java/awt/EventDispatchThread.run
>
> Is there a problem with the repro code?
>
> Thanks,
> H.K.
> ----- Original Message -----
> From: "Marc Schoenefeld" <schonef () uni-muenster de>
> To: <bugtraq () securityfocus com>
> Sent: Saturday, July 10, 2004 7:07 AM
> Subject: Covert Channels allow Cross-Site-Java in Microsoft VM
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi y'all,
> I have not found the contact address for microsoft jvm
> security issues, therefore maybe someone who reads
> bugtraq can forward this:
> in the Microsoft (R) VM for Java, 5.0 Release 5.0.0.3810
> the implementation  of some core system classes allows to
> create covert channels between applets that are
> loaded from different websites (aka cross-site java).
> As these applet they share a common class loader for
> the system classes all public static (non-final)
> fields can be used to create a covert channel in accordance
> to the sandbox restriction and exchange cross-site
> information. This may be used for security zone violation
> and general data leakage.
>
> When you load the two applets:
>
> A:http://www.tauwerkkunst.de/javatest/SiteA/CovAppletFNMap.html
>
> and
>
> B:http://www.beauchamp.de/tauwerk/javatest/SiteA/CovAppletFNMap.html
>
> you can use the commands
>
> PUT/Key/Value  to create an entry in the shared hashtable of the applets
> GET/Key to read an entry in the shared hashtable of the applets
>
> 'Key' and 'Value' are string values.
>
> So if you PUT/TopScorer/Makaay in the lower textbox and press "Perform
> Action" and then switch to applet B which has an identical look and enter
> 'GET/TopScorer' and "Perform Action" you will be prompted with 'Makaay',
> which is an information that should only be known to applet A.
>
> I think this is a major violation of sandbox constraints.
>
> Sincerely
> Marc
>
> P.S: Read some more java stuff at www.illegalaccess.org
>
>
>
>
> - --
>
> Never be afraid to try something new. Remember, amateurs built the
> ark; professionals built the Titanic. -- Anonymous
>
> Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (AIX)
>
> iD8DBQFA7/ggqCaQvrKNUNQRAifIAJ9deBwncOjGHVY10MFF20HmCjEjpgCeOydd
> 9tX6TX6j3CfFYgGeWJ8uD0k=
> =Yp27
> -----END PGP SIGNATURE-----

- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (AIX)

iD8DBQFA8PH4qCaQvrKNUNQRAvvhAJwIFiMtROZkWQVp4EwXBOUyzyyFBACfd8wc
iLsS95yDJQN6tCo8NE6yRRM=
=ZRtp
-----END PGP SIGNATURE-----