Back to list
Java XSLT security advisory addendum
Aug 08 2004 11:12PM
Marc Schoenefeld (schonef uni-muenster de)
-----BEGIN PGP SIGNED MESSAGE-----
Illegalaccess.org security advisory addendum
Public Advisory released:
August 2, 2004
August 9, 2004
In all versions of JDK 1.4.x a vulnerability
exists that allows to juggle XSLT processing classes
inside the JVM that enable entities to sniff
XML data that is processed with the XSLT processor anywhere
is the same JVM.
We called this technique "XML sniffing" and is
based on covert channels. The paper "Antipatterns in
JDK security and refactorings" presented at
DIMVA 2004 (Dortmund, Germany, 7th of July 2004) shows
the general principle of covert channels between
distinct java protection domains.
In addition to the Sun Advisory all boundaries between
java protection domains can be traversed by XML sniffing.
The threat is NOT LIMITED TO APPLETS, so in a web server
environment an unprivileged
servlet may inject hook code in the XSLT processor management
data structures that sniffs the XML data which is processed
by the XSLT processor throughout the whole tomcat or j2ee server
and finally passes it back to the injector class.
As well may an unprivileged application started by Java
Webstart sniff XML data loaded from a signed application, when
executing XSLT operations. This should be taken into account
when processing confident data with JDK 1.4 based software.
Short: Any unprivileged class in the JVM may sniff all
XML passing through the XSLT processor.
Details & Exploit:
A detailed description of the framework that allows detection
of those covert channels and PoC code that demonstrates the
flaw in detail will be included in an upcoming paper, and in
my upcoming PhD thesis at Bamberg university. So be sure
to preorder a signed copy of the thesis:-)
Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous
Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (AIX)
-----END PGP SIGNATURE-----
[ reply ]
Copyright 2010, SecurityFocus