23th Nov 2002 [SBWID-5836]
COMMAND
Many Java Virtual Machine implementations failures leads to remote
compromise
SYSTEMS AFFECTED
JDK 1.1.x, 1.2.x, 1.3
MSIE 4.0, 4.01, 5.0, 6.0
Netscape 4.x
(At LEAST)
PROBLEM
Editor's note
=============
This white paper is an absolute "must-read". It clearly explains how
the security "sandbox" mechanism may be bypassed due to implementation
flaws.
A two years long audit effort of Java from The Last Stage of Delirium
research group [http://lsd-pl.net], is now available to public :
http://lsd-pl.net/java_security.html
We would like to inform you about several security vulnerabilities in
Java Virtual Machine implementations that we have found during our
research. These vulnerabilities affect at least JVMs used in Netscape
Communicator and Microsoft Internet Explorer web browsers. Below you
can find their brief descriptions:
[1] - JIT bug
(it affects Netscape Communicator 4.0-4.8 on Win32/x86 platform)
Its successfull exploitation allows for complete circumvention of the
Java type safety rules. In a result of this, applet sandbox restrictions
can be also escaped and malicious actions can be taken on the computer
of the victim user.
[2] - Bytecode Verifier vulnerability
(it affects Microsoft Internet Explorer 4.0-6.0 including VM build 3805)
Its successfull exploitation allows for complete circumvention of the
Java type safety rules. In a result of this, applet sandbox restrictions
can be also escaped and malicious actions can be taken on the computer
of the victim user.
[3] - Bytecode Verifier vulnerability
(it affects SUN JDK 1.1-1.4, Netscape Communicator 4.0-4.8 on Win32
and Unix systems)
Its successfull exploitation allows to gain read and write access to
local file system. It also allows to bypass applet sandbox restrictions
with regard to network access (socket, bind, listen, accept and connect
calls). On Win32 platform, this vulnerability can be exploited in such
a way so that complete circumvention of the Java type safety rules can
be done. In a result of this, applet sandbox restrictions can be also
escaped and malicious actions can be taken on the computer of the victim
user.
Although this vulnerability also affects JDK 1.x from SUN, we haven't
found a way to successfully exploit it under Netscape 6.x and
Appletviewer.
[4] - Bad implementation of system classes
(it affects Netscape Communicator 4.0-4.8 on Win32 and Unix systems)
It allows for arbitrary loads of user provided libraries. When combined
with the previous Bytecode Verifier vulnerability it can be used to
deploy and execute arbitrary programs on the computer of the victim user.
More details with regard to each of the above vulnerabilities can be
found in our technical paper that can be downloaded from our website:
http://lsd-pl.net/java_security.html
This paper was published for the first time on October 3rd 2002. It was
presented during our talk at Asia Black Hat Briefings conference in
Singapore. Along with the paper, we also plan to release proof of
concept codes for all of the vulnerabilites that are discussed in it.
But this will be done in about 1 week time from now.
Update (12 February 2003)
======
LSD Research Group have release some sample code, check :
http://lsd-pl.net/
SOLUTION
On September 2nd we notified JVM vendors (SUN, Microsoft and Netscape)
about the vulnerabilities that we have found. Along with that we
provided them with a pre-release copy of our paper. Up to this time we
have not received ANY response from Microsoft as well as Netscape with
regard to the reported issues (vendors were given 30 days time to
prepare patches). Only SUN replied to our notification and informed us
that proper patches would be prepared for these issues.
We can understand why there was no response from Netscape since the
three [1] [3][4] vulnerabilities affecting Netscape web browser were
submitted to the Netscape Bug Bounty program which entitles 1000 USD
for a security bug in Netscape Communicator to its founder. Netscape
seems to be another American company that does not seem to be
fulfilling public obligations made through company's web pages
(http://home.netscape.com/security/bugbounty.html). While we were
waiting for Netscape's reponse to our vulnerability report, Netscape
changed(!) Reward Guidelines of the Bug Bounty program so that now only
bugs in Netscape 7.x are rewarded (previously both latest 6.x and 4.8
versions were taken into account). Nice move, huh ?
Netscape cannot of course beat Argus Systems who after 18 months still
has not paid us the remaining 45000 USD of the prize money won by us
during the 5th Argus Hacking Challenge (please see
http://lsd-pl.net/argus.html for more information on this subject).