Sign In
Register
Help
Quote
Covert Channels allow Cross-Site-Java in Microsoft VM
Hi y'all,
I have not found the contact address for microsoft jvm
security issues, therefore maybe someone who reads
bugtraq can forward this:
in the Microsoft VM for Java, 5.0 Release 5.0.0.3810
the implementation of some core system classes allows to
create covert channels between applets that are
loaded from different websites (aka cross-site java).
As these applet they share a common class loader for
the system classes all public static (non-final)
fields can be used to create a covert channel in accordance
to the sandbox restriction and exchange cross-site
information. This may be used for security zone violation
and general data leakage.
When you load the two applets:
A:http://www.tauwerkkunst.de/javatest/SiteA/CovAppletFNMap.html
and
B:http://www.beauchamp.de/tauwerk/javatest/SiteA/CovAppletFNMap.html
you can use the commands
PUT/Key/Value to create an entry in the shared hashtable of the applets
GET/Key to read an entry in the shared hashtable of the applets
'Key' and 'Value' are string values.
So if you PUT/TopScorer/Makaay in the lower textbox and press "Perform
Action" and then switch to applet B which has an identical look and enter
'GET/TopScorer' and "Perform Action" you will be prompted with 'Makaay',
which is an information that should only be known to applet A.
I think this is a major violation of sandbox constraints.
Sincerely
Marc
P.S: Read some more java stuff at www.illegalaccess.org
Hi y'all,
I have not found the contact address for microsoft jvm
security issues, therefore maybe someone who reads
bugtraq can forward this:
in the Microsoft VM for Java, 5.0 Release 5.0.0.3810
the implementation of some core system classes allows to
create covert channels between applets that are
loaded from different websites (aka cross-site java).
As these applet they share a common class loader for
the system classes all public static (non-final)
fields can be used to create a covert channel in accordance
to the sandbox restriction and exchange cross-site
information. This may be used for security zone violation
and general data leakage.
When you load the two applets:
A:http://www.tauwerkkunst.de/javatest/SiteA/CovAppletFNMap.html
and
B:http://www.beauchamp.de/tauwerk/javatest/SiteA/CovAppletFNMap.html
you can use the commands
PUT/Key/Value to create an entry in the shared hashtable of the applets
GET/Key to read an entry in the shared hashtable of the applets
'Key' and 'Value' are string values.
So if you PUT/TopScorer/Makaay in the lower textbox and press "Perform
Action" and then switch to applet B which has an identical look and enter
'GET/TopScorer' and "Perform Action" you will be prompted with 'Makaay',
which is an information that should only be known to applet A.
I think this is a major violation of sandbox constraints.
Sincerely
Marc
P.S: Read some more java stuff at www.illegalaccess.org
Source: http://seclists.org/...4/Jul/0105.html
MultiQuote
