Full Disclosure mailing list archives
Re: Java 1.4.2_02 InsecurityManager JVM crash
From: Torsten Lodderstedt <tolo () informatik uni-freiburg de>
Date: Tue, 28 Oct 2003 10:21:42 +0100
Hi Marc,
either they (Sun) remove the deprecated functions completely or they introduce permissions which explicitly allow to call deprecated stuff. An adversary does not care whether the function he uses to interfere correct operation is deprecated. Deprecation is not a security feature, correct and aware coding is.
I agree with you that such deprecated features should be removed. There
are just to much deprecated features in Java that propably confuse people.
But I don't understand you excitement about the bug itself. What's your
point? Ok, you found a way to chrash the jvm using native code in the
security manager implementation. But is this really something you can
*exploit*, e.g. to crash (1) a client's web browser or (2) a production
server machine? To exploit the flaw you require the permission to
instantiate a security manager in such an environment.
1) The jvm in a web browser always runs under the control of the Java
security manager. So, what you
will get is the following exception:
java.security.AccessControlException: access denied
(java.lang.RuntimePermission createSecurityManager)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.<init>(Unknown Source)
*at InSecurityManager.<init>(InSecurityManager.java:1)*
*at InSecurityManager.main(InSecurityManager.java:8)*
at MyApplet.init(MyApplet.java:20)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
2) Similar, it is recommended that application server run under the
control of the security manager (-Djava.security.manager).
For example, weblogic server does it automatically. So you will
experience the same reaction as above.
regards,
Torsten.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Java 1.4.2_02 InsecurityManager JVM crash Marc Schoenefeld (Oct 25)
- Re: Java 1.4.2_02 InsecurityManager JVM crash Francisco Andrades (Oct 27)
- Re: Java 1.4.2_02 InsecurityManager JVM crash Marc Schoenefeld (Oct 27)
- <Possible follow-ups>
- Re: Java 1.4.2_02 InsecurityManager JVM crash Thiago Campos (Oct 27)
- Re: Java 1.4.2_02 InsecurityManager JVM crash Torsten Lodderstedt (Oct 28)
- Re: Java 1.4.2_02 InsecurityManager JVM crash Francisco Andrades (Oct 27)