Bugtraq mailing list archives
Re: Covert Channels allow Cross-Site-Java in Microsoft VM
From: Marc Schoenefeld <schonef () uni-muenster de>
Date: Sun, 11 Jul 2004 09:53:22 +0200 (MES)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Siva, thanks for the remarks, it seems that you did not open the window for the second applet with Ctrl+N, instead you used a second IE browser process which means that there is no shared JVM and therefore no shared java system fields which can be used as a covert channel. I added a screenshot to the demonstration page to show where to put the data, i must admit the form is lacking some userfriendliness. Your experiences are included in the updated text. Marc On Sat, 10 Jul 2004, Siva Subbu wrote:
Date: Sat, 10 Jul 2004 20:04:47 -0700 From: Siva Subbu <sivasub23 () hotmail com> To: Marc Schoenefeld <schonef () uni-muenster de>, bugtraq () securityfocus com Subject: Re: Covert Channels allow Cross-Site-Java in Microsoft VM Hello Marc, I tried to reproduce this but I couldn't. I see a null pointer exception in the Java Console and I don't get the contents in Applet B which were put in Applet A. I get this error Magath Exception occurred during event dispatching: java.lang.NullPointerException at FNMAP.getContentTypeFor at CovAppletFNMap$MyButtonListener.actionPerformed at java/awt/Button.processActionEvent at java/awt/Button.processEvent at java/awt/Component.dispatchEventImpl at java/awt/Component.dispatchEvent at java/awt/EventDispatchThread.run Is there a problem with the repro code? Thanks, H.K. ----- Original Message ----- From: "Marc Schoenefeld" <schonef () uni-muenster de> To: <bugtraq () securityfocus com> Sent: Saturday, July 10, 2004 7:07 AM Subject: Covert Channels allow Cross-Site-Java in Microsoft VM -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi y'all, I have not found the contact address for microsoft jvm security issues, therefore maybe someone who reads bugtraq can forward this: in the Microsoft (R) VM for Java, 5.0 Release 5.0.0.3810 the implementation of some core system classes allows to create covert channels between applets that are loaded from different websites (aka cross-site java). As these applet they share a common class loader for the system classes all public static (non-final) fields can be used to create a covert channel in accordance to the sandbox restriction and exchange cross-site information. This may be used for security zone violation and general data leakage. When you load the two applets: A:http://www.tauwerkkunst.de/javatest/SiteA/CovAppletFNMap.html and B:http://www.beauchamp.de/tauwerk/javatest/SiteA/CovAppletFNMap.html you can use the commands PUT/Key/Value to create an entry in the shared hashtable of the applets GET/Key to read an entry in the shared hashtable of the applets 'Key' and 'Value' are string values. So if you PUT/TopScorer/Makaay in the lower textbox and press "Perform Action" and then switch to applet B which has an identical look and enter 'GET/TopScorer' and "Perform Action" you will be prompted with 'Makaay', which is an information that should only be known to applet A. I think this is a major violation of sandbox constraints. Sincerely Marc P.S: Read some more java stuff at www.illegalaccess.org - -- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (AIX) iD8DBQFA7/ggqCaQvrKNUNQRAifIAJ9deBwncOjGHVY10MFF20HmCjEjpgCeOydd 9tX6TX6j3CfFYgGeWJ8uD0k= =Yp27 -----END PGP SIGNATURE-----
- -- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (AIX) iD8DBQFA8PH4qCaQvrKNUNQRAvvhAJwIFiMtROZkWQVp4EwXBOUyzyyFBACfd8wc iLsS95yDJQN6tCo8NE6yRRM= =ZRtp -----END PGP SIGNATURE-----
Current thread:
- Covert Channels allow Cross-Site-Java in Microsoft VM Marc Schoenefeld (Jul 10)
- Re: Covert Channels allow Cross-Site-Java in Microsoft VM Siva Subbu (Jul 12)
- Re: Covert Channels allow Cross-Site-Java in Microsoft VM Marc Schoenefeld (Jul 12)
- Re: Covert Channels allow Cross-Site-Java in Microsoft VM Siva Subbu (Jul 12)