Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: [SC-L] By default, the Verifier is disabled on .Net and Java

Re: [SC-L] By default, the Verifier is disabled on .Net and Java

From: Stephen de Vries <stephen_at_corsaire.com>
Date: Thu, 11 May 2006 15:47:47 +0700

Stephen de Vries wrote:
>
> With application servers such as Tomcat, WebLogic etc, I think we have a
> special case in that they don't run with the verifier enabled - yet they
> appear to be safe from type confusion attacks. (If you check the
> startup scripts, there's no mention of running with -verify).

OK.

> The difference between the app servers and a regular compiled Java app
> is that the servers load code dynamically and use reflection to access
> fields and methods, so the app servers have no static knowledge of the
> types defined in user code.

Apologies for the above incorrect statement. App servers _do_ have
knowledge of the static type since they define the base classes in the
servlet and other API's.

> The IllegalAccessError is generated when you try and access a private
> method through the reflection API - and since the type checking is done
> dynamically, it would be difficult (impossible?) to perform a type
> confusion attack on code that isn't statically typed. Code below
> illustrates reflection access control in a simple app.

So, I'll rephrase this as: The Tomcat error looks suspiciously like a
reflection access control error, but it could be down to the type
checking done through the dynamic class loading - and not necessarily
the reflection API.

>
>
> package classloader;
>
> import java.lang.reflect.Method;
> import somepackage.MyData;
>
> public class Main {
>
> public Main() {
> }
>
> public static void main(String[] args) {
> try {
>
> Class myClass = MyData.class;
> Object obj = myClass.newInstance();
> Method m = myClass.getDeclaredMethod("getName", new Class[] {});
> System.out.println(m.invoke(obj, new Object[] {}).toString());
> } catch (Exception e) {
> e.printStackTrace();
> }
> }
>
> }
>
> package somepackage;
>
> public class MyData {
> private String name;
>
> public MyData() {
> name = "No one can read me";
> }
>
> private String getName() {
> return name;
> }
> }
>
> Executing the app produces:
>
> java.lang.IllegalAccessException: Class classloader.Main can not access
> a member of class somepackage.MyData with modifiers "private"
> at sun.reflect.Reflection.ensureMemberAccess(Reflection.java:65)
> at java.lang.reflect.Method.invoke(Method.java:578)
> at classloader.Main.main(Main.java:41)
>
>
> 

-- 
Stephen de Vries
Corsaire Ltd
E-mail: stephen_at_corsaire.com
Tel:	+44 1483 226014
Fax: 	+44 1483 226068
Web: 	http://www.corsaire.com
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web 
application security assessments should be considered a crucial phase in 
the development of any web application. What methodology should be 
followed? What tools can accelerate the assessment process? 
Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h
--------------------------------------------------------------------------
Received on May 11 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos