User: Password:
Subscribe / Log in / New account


A java vulnerability

December 1, 2004

This article was contributed by Jake Edge.

A vulnerability recently reported in Sun's Java browser plugin could provide the basis for one of the first cross-platform exploits. The vulnerability allows a malicious program to break out of the Java security sandbox and perform any action that the browser user has permission to do. That could include destructive filesystem changes, network access, sending email, etc. A user with a Java enabled browser would only need to visit a website that has been crafted to exploit this vulnerability and would fall victim to whatever the malware author intended.

The Java sandbox is intended to restrict Java applets so that they can only access certain approved packages in the Java virtual machine, packages that do not access anything outside of the sandbox. The exploit works by using JavaScript to acquire a reference to packages outside of the approved list and then passing that reference to an applet, subverting the sandbox. Disabling either JavaScript or the Java plugin in the browser will protect users until they can upgrade.

The vulnerability was discovered by Jouko Pynnonen in April, was fixed by Sun in October and was announced last week. Java plugin versions 1.4.2_04 and 1.4.2_05 (and presumably earlier versions as well) were found to be vulnerable on both Linux and Windows. Sun has released version 1.4.2_06 that fixes the problem. For a company that touts the security features of its Java technology, as Sun does, 5-6 months between discovery and a fix for a critical security hole seems overly long.

This vulnerability is very different from others we have seen because it exploits a problem in a technology that is specifically focused on cross-platform support. The same Java Runtime Environment (JRE) code base runs on most modern operating systems and underlies the Java support in most browsers. A significant security breakdown in the JRE affects the vast majority of Java enabled browsers in the world, including Firefox, Mozilla, and Internet Explorer. According to this posting on the Full Disclosure mailing list, Opera allows access to the restricted packages in the default security configuration and no exploit is needed to subvert the sandbox.

There are additional concerns for Netscape and IE users because applets can request particular versions of the plugin and, if that version is still installed, the browser will use it. In some cases, if the version is not installed, the user will be prompted to download and install it. This could allow a malware author to ensure that his code is running on a vulnerable JRE.

Due to Sun licensing constraints, free and open source browsers and operating systems cannot bundle the JRE and cannot do an automatic security update of the JRE. Proprietary OS and browser vendors are in the same boat unless they have licensed the JRE from Sun. The end result is that most users will need to get the updated JRE from Sun directly. As many users are not particularly diligent about seeking out security upgrades, this could leave a significant number of systems unpatched and provide an opportunity for some kind of malware to exploit this hole.

Comments (9 posted)

Brief items defaced

Somebody managed to deface SCO's web site (running on Apache and Linux, incidentally) over the weekend. For those who have to see it, images have been posted at Netcraft and The Inquirer. This crack may be good for a quick smile, but attacks of this nature are not the way to defeat SCO. Look for the inevitable "see how Linux users behave" press release in the near future.

Comments (22 posted)

New vulnerabilities

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Fedora-Legacy FLSA:152870 a2ps 2005-12-17
Mandriva MDKSA-2005:097 a2ps 2005-06-07
OpenPKG OpenPKG-SA-2005.003 a2ps 2005-01-17
Gentoo 200501-02 a2ps 2005-01-04
Debian DSA-612-1 a2ps 2004-12-20
Mandrake MDKSA-2004:140 a2ps 2004-11-25

Comments (none posted)

nfs-utils: denial of service

Package(s):nfs-utils CVE #(s):CAN-2004-1014
Created:December 1, 2004 Updated:May 15, 2005
Description: The NFS statd server contains a denial of service vulnerability which is easily exploited by a remote attacker.
Fedora-Legacy FLSA:152871 nfs-utils 2005-05-12
Red Hat RHSA-2004:583-01 nfs-utils 2004-12-20
Gentoo 200412-08 nfs-utils 2004-12-14
Trustix TSLSA-2004-0065 nfs-utils 2004-01-09
Debian DSA-606-1 nfs-utils 2004-12-08
Mandrake MDKSA-2004:146 nfs-utils 2004-12-06
Ubuntu USN-36-1 nfs-utils 2004-12-01

Comments (none posted)

Open DC Hub: remote code execution

Package(s):opendchub CVE #(s):
Created:November 29, 2004 Updated:December 1, 2004
Description: Donato Ferrante discovered a buffer overflow vulnerability in the RedirectAll command of the Open DC Hub. Upon exploitation, a remote user with administrative privileges can execute arbitrary code on the system running the Open DC Hub. See this advisory.
Gentoo 200411-37 opendchub 2004-11-28

Comments (none posted)

phpbb: input sanitizing

Package(s):phpbb CVE #(s):
Created:December 1, 2004 Updated:December 1, 2004
Description: phpBB fails to sanitize input properly; this vulnerability may be exploited by a remote attacker to execute arbitrary code. Version 2.0.11 contains the fix.
Gentoo 200411-32 phpbb 2004-11-24

Comments (none posted)

phpMyAdmin: cross-site scripting

Package(s):phpMyAdmin CVE #(s):CAN-2004-1055
Created:November 29, 2004 Updated:December 1, 2004
Description: Cedric Cochin has discovered multiple cross-site scripting vulnerabilities in phpMyAdmin. These vulnerabilities can be exploited through the PmaAbsoluteUri parameter, the zero_rows parameter in read_dump.php, the confirm form, or an error message generated by the internal phpMyAdmin parser. By sending a specially-crafted request, an attacker can inject and execute malicious script code, potentially compromising the victim's browser.
Gentoo 200411-36 phpmyadmin 2004-11-27

Comments (none posted)

phpWebSite: HTTP response splitting

Package(s):phpWebSite CVE #(s):
Created:November 26, 2004 Updated:December 1, 2004
Description: phpWebSite is vulnerable to HTTP response splitting attacks. A malicious user could inject arbitrary response data, leading to content spoofing, web cache poisoning and other cross-site scripting or HTTP response splitting attacks.
Gentoo 200411-35:02 phpwebsite 2004-11-26

Comments (none posted)

sun-jre: Java plugin vulnerability

Package(s):sun-jre CVE #(s):CAN-2004-1029
Created:November 26, 2004 Updated:December 1, 2004
Description: Jouko Pynnonen reported a vulnerability in the plugin mechanism which allows remote attackers to bypass the Java sandbox through the use of javascript.
Gentoo 200411-38 sun-jdk 2004-11-29
Conectiva CLA-2004:900 sun-jre 2004-11-26

Comments (none posted)

TWiki: input sanitizing

Package(s):twiki CVE #(s):CAN-2004-1037
Created:December 1, 2004 Updated:December 1, 2004
Description: The TWiki search function does not properly sanitize input, enabling a remote attacker to execute arbitrary commands.
Gentoo 200411-33 twiki 2004-11-24

Comments (1 posted)

yardradius: buffer overflow

Package(s):yardradius CVE #(s):CAN-2004-0987
Created:November 26, 2004 Updated:December 1, 2004
Description: Max Vozeler noticed that yardradius, the YARD radius authentication and accounting server, contained a stack overflow similar to the one from radiusd which is referenced as CAN-2001-0534. This could lead to the execution of arbitrary code as root.
Debian DSA-598-1 yardradius 2004-11-25

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds