Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Sun Java Plugin arbitrary package access vulnerability
From: "Rob Carmichael" <robc () globalvc co uk>
Date: Tue, 23 Nov 2004 12:59:30 -0000


So is the built in 'update' feature in the JVM, however the link mentioned
in the advisory works fine.


----- Original Message ----- 
From: "Randal, Phil" <prandal () herefordshire gov uk>
To: <full-disclosure () netsys com>
Sent: Tuesday, November 23, 2004 11:50 AM
Subject: RE: [Full-disclosure] Sun Java Plugin arbitrary package access

FYI,  www.java.com is still dishing out 1.4.2_05


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of
Jouko Pynnonen
Sent: 23 November 2004 01:40
To: full-disclosure () netsys com
Subject: [Full-disclosure] Sun Java Plugin arbitrary package
access vulnerability


Sun Microsystem's Java Plugin connects the Java technology to
web browsers and allows the use of Java Applets. Java Plugin
technology is available for numerous platforms and supports
major web browsers.

A vulnerability in Java Plugin allows an attacker to create
an Applet which can disable Java's security restrictions and
break out of the Java sandbox. The attack can be launched
when a victim views a web page created by the attacker.
Further user interaction is not required as Java Applets are
normally loaded and started automatically.

Such Applet can then take any action which the user could:
browse, read, or modify files, upload more programs to the
victim system and run them, or send out data from the system.
Java is a cross-platform language so the same exploit could
run on various OS'es and architectures.


There is a number of private Java packages in the Java VM,
meant to be used only by the VM internally. Java Applets
can't normally access these packages because of security
concerns. Attempting to access them normally results in an

The problem is that JavaScript code can bypass the access
control by using so called reflection API. The following
piece of example JavaScript acquires a reference to a
supposedly restricted, private class "sun.text.Utility":

 [script language=javascript]
 var c=document.applets[0].getClass().forName('sun.text.Utility');
 alert('got Class object: '+c)

This isn't possible by a normal Java Applet, and shouldn't be
for JavaScript either. The JavaScript code could now
instantiate the class or pass it to an Applet that could use it.

An attacker can't do much with the utility class in this
example, but could use other private classes to exploit the
vulnerability. Some of them allow e.g. direct access to
memory or methods for modifying private fields of Java
objects. The latter allows an attacker to simply turn off the
Java security manager, after which there is no sandbox
restricting what the Applet can do.


The Java Plugin versions 1.4.2_04 and 1.4.2_05 were tested on
Windows and Linux. Web browsers tested were Microsoft
Internet Explorer, Mozilla Firefox and Opera. It should be
noted that Opera uses a different way of connecting
JavaScript and Java which caused the test exploit not to work
on Opera. However the problem itself (access to private
packages) was demonstrated on Opera too, so it may be
vulnerable to a variation of the exploit.


Sun Microsystems was informed on April 29, 2004 and has fixed
the problem in J2SE 1.4.2_06, available at



The vulnerability was discovered and researched by Jouko
Pynnonen, Finland.

Jouko Pynnönen          Web: http://iki.fi/jouko/
jouko () iki fi

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]