Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass

[Chris Evans <scarybeasts () gmail com>]

On Wed, Oct 20, 2010 at 2:29 PM, Billy Rios <billy.rios () gmail com> wrote:

> In the patch for CVE-2008-5343 (GIFAR) Sun tightened their file parsing
> rules for remote JAR files, making it harder to smuggle JAR files onto the
> end of other filetypes.  This makes it more difficult to create a GIF+JAR
> hybrid file.  AFAIK, local JAR files were considered out of scope and will
> not be subject to the additional file parsing scrutiny.


Do you have a link to details on how the new parsing heuristic works, and
how "remote" is determined?


> Sun/Oracle has not removed the ability to modify arbitrary HOST headers.

Isn't that what they fixed in response to Roberto's latest report? Roberto,
any idea what was changed?


Cheers
Chris


> So, if an attacker can upload a JAR file to a web app, they will have the
> ability to jump to any domain (virtual hosted or subdomain) that exists on
> the server.  The cookies sent by the applet will be from the domain provided
> in the URL object, however the content returned by the server will be from
> the domain specified in the HOST header.  This can cause havoc for places
> where separation relies on subdomains (like wordpress.com et al.) where
> users have by-design control of content on one subdomain and uses that
> content to target users on a different subdomain.
>
> Java also doesn't respect file extension, content-type, or
> content-disposition returned by the web server making it a bit easier to
> upload JAR files to unsuspecting web apps.
>
>
> BK
>
>
> On Wed, Oct 20, 2010 at 1:18 PM, Chris Evans <scarybeasts () gmail com>wrote:
>
> > On Wed, Oct 20, 2010 at 8:58 AM, Michal Zalewski <lcamtuf () coredump cx>wrote:
> >
> > > > Security-Assessment.com follows responsible disclosure
> > > > and promptly contacted Oracle after discovering
> > > > the issue. Oracle was contacted on August 1,
> > > > 2010.
> > >
> > > My understanding is that Stefano Di Paola of Minded Security reported
> > > this back in April; and further, the feature was a part of reasonably
> > > well-documented functionality of Java pretty much ever since:
> > >
> > > http://download.oracle.com/javase/6/docs/api/java/net/URL.html
> >
> >
> > The Host: header trick was also used back in 2008 in Billy Rios' GIFAR
> > attack -- to get around the fact that Picasa hosts images on a separate
> > domain:
> >
> > http://xs-sniper.com/blog/2008/12/17/sun-fixes-gifars/
> >
> > The blog post title was "SUN Fixes GIFARs", although it's not immediately
> > obvious to me what was changed or fixed.
> >
> > If anyone knows what was changed back then and/or in this latest release,
> > it would be interesting to see it documented.
> >
> >
> > Cheers
> > Chris
> >
> >
> > > "Two hosts are considered equivalent if both host names can be
> > > resolved into the same IP addresses"
> > >
> > > This was a pretty horrible design, so it's good to see it gone, though.
> > >
> > > /mz
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/