Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
From: Chris Evans <scarybeasts () gmail com>
Date: Wed, 20 Oct 2010 14:49:44 -0700

On Wed, Oct 20, 2010 at 2:29 PM, Billy Rios <billy.rios () gmail com> wrote:

In the patch for CVE-2008-5343 (GIFAR) Sun tightened their file parsing
rules for remote JAR files, making it harder to smuggle JAR files onto the
end of other filetypes.  This makes it more difficult to create a GIF+JAR
hybrid file.  AFAIK, local JAR files were considered out of scope and will
not be subject to the additional file parsing scrutiny.

Do you have a link to details on how the new parsing heuristic works, and
how "remote" is determined?

Sun/Oracle has not removed the ability to modify arbitrary HOST headers.

Isn't that what they fixed in response to Roberto's latest report? Roberto,
any idea what was changed?


So, if an attacker can upload a JAR file to a web app, they will have the
ability to jump to any domain (virtual hosted or subdomain) that exists on
the server.  The cookies sent by the applet will be from the domain provided
in the URL object, however the content returned by the server will be from
the domain specified in the HOST header.  This can cause havoc for places
where separation relies on subdomains (like wordpress.com et al.) where
users have by-design control of content on one subdomain and uses that
content to target users on a different subdomain.

Java also doesn't respect file extension, content-type, or
content-disposition returned by the web server making it a bit easier to
upload JAR files to unsuspecting web apps.


On Wed, Oct 20, 2010 at 1:18 PM, Chris Evans <scarybeasts () gmail com>wrote:

On Wed, Oct 20, 2010 at 8:58 AM, Michal Zalewski <lcamtuf () coredump cx>wrote:

Security-Assessment.com follows responsible disclosure
and promptly contacted Oracle after discovering
the issue. Oracle was contacted on August 1,

My understanding is that Stefano Di Paola of Minded Security reported
this back in April; and further, the feature was a part of reasonably
well-documented functionality of Java pretty much ever since:


The Host: header trick was also used back in 2008 in Billy Rios' GIFAR
attack -- to get around the fact that Picasa hosts images on a separate


The blog post title was "SUN Fixes GIFARs", although it's not immediately
obvious to me what was changed or fixed.

If anyone knows what was changed back then and/or in this latest release,
it would be interesting to see it documented.


"Two hosts are considered equivalent if both host names can be
resolved into the same IP addresses"

This was a pretty horrible design, so it's good to see it gone, though.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]