Vulnerability Development mailing list archives
RE: JavaSecurity
From: "Scott, Richard" <Richard.Scott () BestBuy com>
Date: Wed, 13 Mar 2002 08:42:53 -0600
I actually packaged the classes in java.lang: Jar cvf0 new_rt.jar <dir1> <dir2> <dir3> <dir4> ....... The reason why I am posting here is that I am working on an exploit. I was hoping to see if anyone else has worked on replacing core classes in a package..... with a rogue one. Cheers r. Richard Scott INFORMATION SECURITY Best Buy World Headquarters 7075 Flying Cloud Drive Eden Prairie, MN 55344 USA The views expressed in this email do not represent Best Buy or any of its subsidiaries -----Original Message----- From: Cushing, David [mailto:David.Cushing () hitachisoftware com] Sent: Wednesday, March 13, 2002 8:39 AM To: r s; vuln-dev () securityfocus com Subject: RE: JavaSecurity This might be better suited to a java newsgroup, but... Your prompt is c:\, your CLASSPATH is ../../... That seems incorrect. Did you put a package statement in your rogue class (i,e, package java.lang)? Did you re-package rt.jar or try to use it in "un-jarred" form? Where are rt.jar or the unjarred files? This exception always means the object could not be found. Check your classpath, check your jar files, file permissions, etc. If you're not familiar with how classpath finds classes, check out: http://java.sun.com/j2se/1.4/docs/tooldocs/findingclasses.html HTH, David
-----Original Message----- From: r s [mailto:richard.scott () bestbuy com] Sent: Tuesday, March 12, 2002 2:15 PM To: vuln-dev () securityfocus com Subject: JavaSecurity I am trying to replace a class in Java's runtime rt.jar file. I compiled the rogue class, placed it in the extracted jar file with zero compression. now when I compile code aginst it I get: C:\>javac -classpath ../../.. String.java Error occurred during initialization of VM java/lang/NoClassDefFoundError: java/lang/Object This "exploit" was tailored around what Scott Oaks mentioned in his book JavaSecurity. however, I seem not to be able to exploit it. Any tips?
Current thread:
- JavaSecurity r s (Mar 12)
- <Possible follow-ups>
- RE: JavaSecurity Scott, Richard (Mar 13)
- Re: JavaSecurity KF (Mar 13)
- RE: JavaSecurity Cushing, David (Mar 13)