Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Rumours about Opera
From: Marc Schoenefeld <schonef () uni-muenster de>
Date: Thu, 25 Nov 2004 22:22:34 +0100 (MEZ)

Hash: SHA1

Hi y'all,

to clear some rumours about Opera 7.54:

The opera guys use their own binding from javascript to java, which does not
conform to the java plug-in. Moreover they expliclity allowed access to the
sun.* packages in the default security configuration, so there is no need
for a magic exploit.  I reported that misery to opera on the 1st of
september, so they should be aware of their java problems.

Remember that java 1.4.2_04 (and less) driven applets also allow covert
channels between applets from different sites. This is exploitable by a
second order attack where a shared public variable in the XSLT processor can
be used by a passive attacker. He is able to inject a piece of sleeping java
code in the JVM which gets executed when the XSLT processor is invoked.
There is an Sun advisory out there that came out in august, that warns
about the issue.

Java 1.4.2_05 also has a vulnerability in the serialization APIs (used by
RMI) that allows to overload a remote JVM [and drive uptime loads
to the 100s]. I reported that to Sun on the 11th of April.
It is fixed in 1.4.2_06, too.

P.S.: Have phun with java, but maybe you should consider
python for productivity.
[http://www.ferg.org/projects/python_java_side-by-side.html , great
stuff steven!]

marc schoenefeld

On Thu, 25 Nov 2004, Alla Bezroutchko wrote:

Date: Thu, 25 Nov 2004 11:33:03 +0100
From: Alla Bezroutchko <alla () scanit be>
To: bugtraq () securityfocus com, full-disclosure () lists netsys com
Subject: Re: Sun Java Plugin arbitrary package access vulnerability

Jouko Pynnonen wrote:

A vulnerability in Java Plugin allows an attacker to create an Applet
which can disable Java's security restrictions and break out of the
Java sandbox.


The Java Plugin versions 1.4.2_04 and 1.4.2_05 were tested on Windows
and Linux. Web browsers tested were Microsoft Internet Explorer,
Mozilla Firefox and Opera. It should be noted that Opera uses a
different way of connecting JavaScript and Java which caused the test
exploit not to work on Opera. However the problem itself (access to
private packages) was demonstrated on Opera too, so it may be
vulnerable to a variation of the exploit.

As noted by rodmoses(at)yahoo(dot)com Opera remains vulnerable even
after the upgrade of JVM to version 1.4.2_06. (tested on Windows XP SP2,
Opera 7.54, J2SE 1.4.2_06).

According to Jouko, Opera does not use Java plugin, but has its own
interface to Java. The fact that the problem is still present after JVM
upgrade probably means that there is an independent  bug in Opera Java
interface which has the same effect as the bug in Sun Java Plugin.

AFAIK there is no fix for Opera yet. I have reported this bug to Opera
through their web interface (bug-158156).

There is an online test for this bug at Browser Security Test
(http://bcheck.scanit.be/bcheck/). Go to
http://bcheck.scanit.be/bcheck/choosetests.php if you only want to run
the test for this particular bug.


- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
Version: GnuPG v1.2.6 (AIX)


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]