Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
From: Stefano Di Paola <wisec () wisec it>
Date: Wed, 20 Oct 2010 12:54:18 +0200

Hi Roberto,
nice to see you always alive and kicking!

It seems we found the same stuff :) my bad I haven't yet published it.

Soon also my advisory with some collateral effect^N^N^N^N^N^Nthoughts.

Cheers
Stefano


Il giorno mer, 20/10/2010 alle 00.20 +1300, Roberto Suggi Liverani ha
scritto:
(    , )     (,
  .   `.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .`), ) _ _,
 /  _____/  / _  \    ____  ____   _____  
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \ 
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq 
                    (x.0)
                  '=.|w|.='
                  _='`"``=.

              presents..

Oracle JRE - java.net.URLConnection class – 
Same-of-Origin (SOP) Policy Bypass

PDF: http://www.security-assessment.com/files/advisories/Oracle_JRE_java_net_urlconnection_SOP_Bypass.pdf
CVE Identifier: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3573


+-----------+
|Description|
+-----------+

Security-Assessment.com discovered that a Java Applet 
making use of java.net.URLConnection class can be used 
to bypass same-of-origin (SOP) policy and domain based 
security controls in modern browsers when communication 
occurs between two domains that resolve to the same IP 
address. This advisory includes a Proof-of-Concept 
(PoC) demo and a Java Applet source code, which 
demonstrates how this security can be exploited to leak 
cookie information to an unauthorised domain, which 
resides on the same host IP address.

+------------+
|Exploitation|
+------------+

The Flash movie demo can be viewed at the following 
link:

http://www.security-assessment.com/files/advisories/java_net_urlconnection_sop_bypass_demo.swf

Proof of Concept (PoC) in demo demonstrates that a 
Cross Site Request Forgery (XSRF) attack can be leveraged 
by using a Java Applet which implements the 
java.net.URLConnection class. Traditionally, XSRF is used 
to force a user to perform an unwanted action on a target 
web site. In this case, the PoC shows that XSRF can be 
used to capture sensitive information such as cookie 
associated to a target web site.

The following assumptions are made in this PoC:

1. Virtual hosts www.targetsite.net and 
www.badsite.com resolve to the same IP address;

2. Malicious user controls www.badsite.com web site;

3. Malicious user targets www.targetsite.net users.

The following list summarises the sequence of actions 
shown in the demo:


1. User has a valid cookie for www.targetsite.net

2. The same user visits www.badsite.com which performs 
a cross site forged request to www.targetsite.net . 
The forged request is performed by a Java Applet 
embedded on the malicious site. The Java Applet 
bypasses the Same-of-Origin policy as an unsigned Java 
Applet should not be able to communicate 
from www.badsite.com to www.targetsite.net without 
a crossdomain.xml policy file.

3. Java Applet performs first GET request to 
www.targetsite.net. At this stage, the Java Applet 
controls the Cookie: header sent to www.targetsite.net
through the getRequestProperty("cookie") method.
This is in breach with SOP.

4. A second request is done for the purpose 
of the demo which leaks www.targetsite.net 
cookie’s to www.badsite.com via an HTTP GET 
request.


Testing was successfully performed using Java(TM) 
SE Runtime Environment (build 1.6.0_21-b07) and the 
following browsers:

- Mozilla Firefox 3.5.8 (Windows XP)
- Opera 10.60 (Windows XP)
- Internet Explorer 6.0.2900.5512 (Windows XP)
- Google Chrome 5.0.375.9 (Windows XP)
- Internet Explorer 8.0.6001.18702 (Windows XP)
- Safari 5.0 (7533.16) (Windows XP)

The Java Applet source code used in the demo can be 
downloaded at the following link:

http://www.security-assessment.com/files/advisories/MaliciousJavaApplet.zip

+--------+
|Solution|
+--------+

Security-Assessment.com follows responsible disclosure
and promptly contacted Oracle after discovering
the issue. Oracle was contacted on August 1,
2010.

Oracle has created a fix for this vulnerability which 
has been included as part of Critical Patch Update 
Advisory - October 2010. Security-Assessment.com 
recommends all users of JRE and JDK to upgrade to 
the latest version as soon as possible. 

For more information on the new release of JRE/JDK 
please refer to the link:

http://www.oracle.com/technetwork/java/javase/downloads/index.html

+------+
|Credit|
+------+

Discovered and advised to Oracle
August 2010 by Roberto Suggi Liverani of 
Security-Assessment.com.

Personal site: http://malerisch.net

+-----+
|Extra|
+-----+

Another interesting attack was discovered as part 
of the research on this vulnerability.
This attack is another example of leveraging XSRF 
with the potential of leaking cookie, basic and digest
authentication tokens using Java Applet and the 
"Compability with older browser" feature in 
Apache Web Server.

For a PDF version of this research please follow the link below:

http://www.security-assessment.com/files/whitepapers/Leveraging_XSRF_with_Apache_Web_Server_Compatibility_with_older_browser_feature_and_Java_Applet.pdf


+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+

Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Kingdom.

Roberto Suggi Liverani

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]