BugTraq
Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Oct 19 2010 11:18AM
Roberto Suggi Liverani (roberto suggi security-assessment com) (2 replies)

( , ) (,
. `.' ) ('. ',
). , ('. ( ) (
(_,) .`), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y /______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_='`"``=.

presents..

Oracle JRE - java.net.URLConnection class â??
Same-of-Origin (SOP) Policy Bypass

PDF: http://www.security-assessment.com/files/advisories/Oracle_JRE_java_net_
urlconnection_SOP_Bypass.pdf
CVE Identifier: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3573

+-----------+
|Description|
+-----------+

Security-Assessment.com discovered that a Java Applet
making use of java.net.URLConnection class can be used
to bypass same-of-origin (SOP) policy and domain based
security controls in modern browsers when communication
occurs between two domains that resolve to the same IP
address. This advisory includes a Proof-of-Concept
(PoC) demo and a Java Applet source code, which
demonstrates how this security can be exploited to leak
cookie information to an unauthorised domain, which
resides on the same host IP address.

+------------+
|Exploitation|
+------------+

The Flash movie demo can be viewed at the following
link:

http://www.security-assessment.com/files/advisories/java_net_urlconnecti
on_sop_bypass_demo.swf

Proof of Concept (PoC) in demo demonstrates that a
Cross Site Request Forgery (XSRF) attack can be leveraged
by using a Java Applet which implements the
java.net.URLConnection class. Traditionally, XSRF is used
to force a user to perform an unwanted action on a target
web site. In this case, the PoC shows that XSRF can be
used to capture sensitive information such as cookie
associated to a target web site.

The following assumptions are made in this PoC:

1. Virtual hosts www.targetsite.net and
www.badsite.com resolve to the same IP address;

2. Malicious user controls www.badsite.com web site;

3. Malicious user targets www.targetsite.net users.

The following list summarises the sequence of actions
shown in the demo:

1. User has a valid cookie for www.targetsite.net

2. The same user visits www.badsite.com which performs
a cross site forged request to www.targetsite.net .
The forged request is performed by a Java Applet
embedded on the malicious site. The Java Applet
bypasses the Same-of-Origin policy as an unsigned Java
Applet should not be able to communicate
from www.badsite.com to www.targetsite.net without
a crossdomain.xml policy file.

3. Java Applet performs first GET request to
www.targetsite.net. At this stage, the Java Applet
controls the Cookie: header sent to www.targetsite.net
through the getRequestProperty("cookie") method.
This is in breach with SOP.

4. A second request is done for the purpose
of the demo which leaks www.targetsite.net
cookieâ??s to www.badsite.com via an HTTP GET
request.

Testing was successfully performed using Java(TM)
SE Runtime Environment (build 1.6.0_21-b07) and the
following browsers:

- Mozilla Firefox 3.5.8 (Windows XP)
- Opera 10.60 (Windows XP)
- Internet Explorer 6.0.2900.5512 (Windows XP)
- Google Chrome 5.0.375.9 (Windows XP)
- Internet Explorer 8.0.6001.18702 (Windows XP)
- Safari 5.0 (7533.16) (Windows XP)

The Java Applet source code used in the demo can be
downloaded at the following link:

http://www.security-assessment.com/files/advisories/MaliciousJavaApplet.
zip

+--------+
|Solution|
+--------+

Security-Assessment.com follows responsible disclosure
and promptly contacted Oracle after discovering
the issue. Oracle was contacted on August 1,
2010.

Oracle has created a fix for this vulnerability which
has been included as part of Critical Patch Update
Advisory - October 2010. Security-Assessment.com
recommends all users of JRE and JDK to upgrade to
the latest version as soon as possible.

For more information on the new release of JRE/JDK
please refer to the link:

http://www.oracle.com/technetwork/java/javase/downloads/index.html

+------+
|Credit|
+------+

Discovered and advised to Oracle
August 2010 by Roberto Suggi Liverani of
Security-Assessment.com.

Personal site: http://malerisch.net

+-----+
|Extra|
+-----+

Another interesting attack was discovered as part
of the research on this vulnerability.
This attack is another example of leveraging XSRF
with the potential of leaking cookie, basic and digest
authentication tokens using Java Applet and the
"Compability with older browser" feature in
Apache Web Server.

For a PDF version of this research please follow the link below:

http://www.security-assessment.com/files/whitepapers/Leveraging_XSRF_wit
h_Apache_Web_Server_Compatibility_with_older_browser_feature_and_Java_Ap
plet.pdf

+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+

Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Kingdom.

Roberto Suggi Liverani

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus