Vulnerability Development mailing list archives

RE: JavaSecurity

From: "Scott, Richard" <Richard.Scott () BestBuy com>
Date: Wed, 13 Mar 2002 08:42:53 -0600

I actually packaged the classes in java.lang:

Jar cvf0 new_rt.jar <dir1> <dir2> <dir3> <dir4> .......

The reason why I am posting here is that I am working on an exploit.  I was
hoping to see if anyone else has worked on replacing core classes in a
package..... with a rogue one.

Cheers
r.


Richard Scott
INFORMATION SECURITY
Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA

The views expressed in this email do not represent Best Buy
or any of its subsidiaries

 -----Original Message-----
From:   Cushing, David [mailto:David.Cushing () hitachisoftware com] 
Sent:   Wednesday, March 13, 2002 8:39 AM
To:     r s; vuln-dev () securityfocus com
Subject:        RE: JavaSecurity

This might be better suited to a java newsgroup, but...

Your prompt is c:\, your CLASSPATH is ../../...  That seems incorrect.  

Did you put a package statement in your rogue class (i,e, package
java.lang)?

Did you re-package rt.jar or try to use it in "un-jarred" form?

Where are rt.jar or the unjarred files?

This exception always means the object could not be found.  Check your
classpath, check your jar files, file permissions, etc.

If you're not familiar with how classpath finds classes, check out:
http://java.sun.com/j2se/1.4/docs/tooldocs/findingclasses.html

HTH,
David

-----Original Message-----
From: r s [mailto:richard.scott () bestbuy com]
Sent: Tuesday, March 12, 2002 2:15 PM
To: vuln-dev () securityfocus com
Subject: JavaSecurity




I am trying to replace a class in Java's runtime rt.jar 

file.



I compiled the rogue class, placed it in the extracted 

jar file with zero compression.



now when I compile code aginst it I get:



C:\>javac -classpath ../../.. String.java

Error occurred during initialization of VM

java/lang/NoClassDefFoundError: java/lang/Object



This "exploit" was tailored around what Scott Oaks 

mentioned in his book JavaSecurity.



however, I seem not to be able to exploit it.



Any tips?

Current thread:

JavaSecurity r s (Mar 12)
- <Possible follow-ups>
- RE: JavaSecurity Scott, Richard (Mar 13)
  - Re: JavaSecurity KF (Mar 13)
- RE: JavaSecurity Cushing, David (Mar 13)