Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: [Full-disclosure] Re: [Owasp-dotnet] Re: 4 Questions: Latest IEvulnerability, Firefox vs IE security, Uservs Admin risk profile,and browsers coded in100% Managed Verifiable code

Re: [Full-disclosure] Re: [Owasp-dotnet] Re: 4 Questions: Latest IEvulnerability, Firefox vs IE security, Uservs Admin risk profile,and browsers coded in100% Managed Verifiable code

From: <michaelslists_at_gmail.com>
Date: Wed, 29 Mar 2006 15:23:36 +1100

I just tried a few ways and couldn't figure anything out;

It doesn't seem like you can modify a java.lang Class from outside the
package (even unverified) and I also couldn't get my class _inside_
java.lang.

Maybe BCEL can get further ... or maybe I missed something.

-- Michael

On 3/29/06, michaelslists_at_gmail.com <michaelslists_at_gmail.com> wrote:
> I wonder if you could disable the default security manager with unverified code.
>
> Probably.
>
> Hmm.
>
> -- Michael
>
>
> On 3/29/06, Jeff Williams <jeff.williams_at_aspectsecurity.com> wrote:
> > > Jeff, as you can see by Stephen de Vries's response on this thread,
> > > you are wrong in your assumption that most Java code (since 1.2)
> > > must go through the Verifier (this is what I was sure it was
> > > happening since I remembered reading that most Java code executed
> > > in real-world applications is not verified)
> >
> > Wow. I ran some tests too, and Stephen is absolutely right. It appears
> > that Sun quietly turned off verification by default for bytecode loaded from
> > the local disk (not applets). They've apparently
> > (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4030988), acknowledged
> > that it is a bug, and said that it will not be fixed. The change had
> > something to do with compatibility with old bytecode. More details
> > (http://www.cafeaulait.org/reports/accessviolations.html)
> >
> > This is a clear violation of the JVM Spec. And (regardless of protestation
> > to the contrary) it IS a big security problem. Just because bytecode is
> > loaded from the local disk does not mean it's trustworthy. Every
> > application uses lots of libraries that developers download from the
> > Internet (as compiled jar files) and loaded from the local disk. Unless you
> > run with "java -verify" that code won't get verified.
> >
> > I'm sure that the percentage of applications that are running with both
> > verification and sandbox is terrifyingly small. Probably only applets and
> > maybe Java Web Start applications. As I mentioned before some of the J2EE
> > servers are now enabling a sandbox, but their security policies are
> > generally wide open.
> >
> > I think there are two relatively easy things we can do here. First, let's
> > find out what plans Sun has for the new verifier -- we should strongly
> > encourage them to turn it on by default. Second, we can work on ways to
> > encourage people to use sandboxes -- tools, articles, and awareness.
> >
> > --Jeff

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Mar 29 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]