Bugtraq mailing list archives

RE: iDEFENSE Security Advisory 11.22.04: Sun Java Plugin Arbitrar y Package Access Vulnerability

From: "Randal, Phil" <prandal () herefordshire gov uk>
Date: Tue, 23 Nov 2004 11:49:05 -0000

FYI,  www.java.com is still dishing out 1.4.2_05

Phil

----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

-----Original Message-----
From: customer service mailbox [mailto:customerservice () idefense com] 
Sent: 22 November 2004 18:18
To: bugtraq () securityfocus com; vulnwatch () vulnwatch org
Subject: iDEFENSE Security Advisory 11.22.04: Sun Java Plugin 
Arbitrary Package Access Vulnerability

Sun Java Plugin Arbitrary Package Access Vulnerability

iDEFENSE Security Advisory 11.22.04
www.idefense.com/application/poi/display?id=158&type=vulnerabilities
November 22, 2004

I. BACKGROUND

Java Plug-in technology, included as part of the Java 2 
Runtime Environment, Standard Edition (JRE), establishes a 
connection between popular browsers and the Java platform. 
This connection enables applets on Web sites to be run within 
a browser on the desktop. More information about Java Plug-in 
technology is available from http://java.sun.com/products/plugin/.

II. DESCRIPTION

Remote exploitation of a design vulnerability in Sun 
Microsystems Inc.'s Java Plug-in technology allows attackers 
to bypass the Java sandbox and all security restrictions 
imposed within Java Applets.

A number of private Java packages exist within the Java 
Virtual Machine
(VM) and are used internally by the VM. Security restrictions 
prevent Applets from accessing these packages. Any attempt to 
access these packages, results in a thrown exception of 
'AccessControlException', unless the Applet is signed and the 
user has chosen to trust the issuer.

The problem specifically exists within the access controls of 
the Java to Javascript data exchange in web browsers using 
Sun's Java Plug-in technology. The vulnerability allows 
Javascript code to load an unsafe class which should not 
normally be possible from a Java Applet.

III. ANALYSIS

Successful exploitation allows remote attackers to execute 
hostile Applets that can access, download, upload or execute 
arbitrary files as well as access the network. A target user 
must be running a browser on top of a vulnerable Java Virtual 
Machine to be affected. It is possible for an attacker to 
create a cross-platform, cross-browser exploit for this 
vulnerability. Once compromised, an attacker can execute 
arbitrary code under the privileges of the user who 
instantiated the vulnerable browser.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in 
Java 2 Platform, Standard Edition (J2SE) 1.4.2_01 and 
1.4.2_04 from Sun Microsystems. It is suspected that earlier 
versions are vulnerable as well. Various browsers such as 
Internet Explorer, Mozilla and Firefox on both Windows and 
Unix platforms can be exploited if they are running a 
vulnerable Java Virtual Machine.

V. WORKAROUND

Disabling Java or JavaScript will prevent exploitation as the 
vulnerability relies on the data transfer between the two components.
Other Java Virtual Machines, such as the Microsoft VM, are 
available and can be used as an alternative.

VI. VENDOR RESPONSE

This issue has been fixed in J2SE v 1.4.2_06 available at:

   http://java.sun.com/j2se/1.4.2/download.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has 
assigned the name CAN-2004-1029 to this issue. This is a 
candidate for inclusion in the CVE list 
(http://cve.mitre.org), which standardizes names for security 
problems.

VIII. DISCLOSURE TIMELINE

06/29/2004   Initial vendor notification
06/30/2004   Initial vendor response
08/16/2004   iDEFENSE clients notified
11/22/2004   Public disclosure

IX. CREDIT

Jouko Pynnonen (jouko[at]iki.fi) is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert 
electronically. It may not be edited in any way without the 
express written consent of iDEFENSE. If you wish to reprint 
the whole or any part of this alert in any other medium other 
than electronically, please email 
customerservice () idefense com for permission.

Disclaimer: The information in the advisory is believed to be 
accurate at the time of publishing based on currently 
available information. Use of the information constitutes 
acceptance for use in an AS IS condition.
There are no warranties with regard to this information. 
Neither the author nor the publisher accepts any liability 
for any direct, indirect, or consequential loss or damage 
arising from use of, or reliance on, this information.

Current thread:

RE: iDEFENSE Security Advisory 11.22.04: Sun Java Plugin Arbitrar y Package Access Vulnerability Sherlock, Nathan (Nov 23)
- <Possible follow-ups>
- RE: iDEFENSE Security Advisory 11.22.04: Sun Java Plugin Arbitrar y Package Access Vulnerability Randal, Phil (Nov 23)