Sun Java Runtime Environment Remote XSLT特权升级漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1182679 漏洞类型 权限许可和访问控制
发布时间 2009-06-02 更新时间 2009-06-02
CVE编号 CVE-2004-2764 CNNVD-ID CNNVD-200906-021
漏洞平台 N/A CVSS评分 10.0
|漏洞来源
https://cxsecurity.com/issue/WLB-2009060096
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200906-021
|漏洞详情
SunSDK和JavaRuntimeEnvironment(JRE)1.4.2版本至1.4.2_04版本,1.4.1版本至1.4.1_07版本,和1.4.0版本至1.4.0_04版本允许不可靠的applet程序和没有特权的servlets获得特权并可以借助与XSLT处理器(又称"XMLsniffing")中的等级相关的未明向量,从其它applet程序中读取数据。
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

============================================
Illegalaccess.org security advisory addendum
============================================

Vendor informed:
April, 2004

Public Advisory released:
August 2, 2004

Today:
August 9,  2004

URL:
http://www.illegalaccess.org

Original advisory:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57613

Threat:
In all versions of JDK 1.4.x a vulnerability
exists that allows to juggle XSLT processing classes
inside the JVM that enable entities to sniff
XML data that is processed with the XSLT processor anywhere
is the same JVM.
We called this technique "XML sniffing" and is
based on covert channels. The paper "Antipatterns in
JDK security and refactorings" presented at
DIMVA 2004 (Dortmund, Germany, 7th of July 2004) shows
the general principle of covert channels between
distinct java protection domains.

Scope:
In addition to the Sun Advisory all boundaries between
java protection domains can be traversed by XML sniffing.
The threat is NOT LIMITED TO APPLETS, so in a web server
environment an unprivileged
servlet may inject hook code in the XSLT processor management
data structures that sniffs the XML data which is processed
by the XSLT processor throughout the whole tomcat or j2ee server
and finally passes it back to the injector class.
As well may an unprivileged application started by Java
Webstart sniff XML data loaded from a signed application, when
executing XSLT operations. This should be taken into account
when processing confident data with JDK 1.4 based software.
Short: Any unprivileged class in the JVM may sniff all
XML passing through the XSLT processor.

Details & Exploit:
A detailed description of the framework that allows detection
of those covert channels and PoC code that demonstrates the
flaw in detail will be included in an upcoming paper, and in
my upcoming PhD thesis at Bamberg university. So be sure
to preorder a signed copy of the thesis:-)

Sincerely
Marc Schoenefeld

- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schnefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (AIX)

iD8DBQFBFrN9qCaQvrKNUNQRAn+VAJwI72zwrvZEiDGrjxrKKAHFC9KMrACbB8ch
mofWFyw0U4ImrPgZb4kk3bY=
=0ZEy
-----END PGP SIGNATURE-----
|参考资料

来源:XF
名称:sun-xslt-applet-gain-privileges(16864)
链接:http://xforce.iss.net/xforce/xfdb/16864
来源:BID
名称:10844
链接:http://www.securityfocus.com/bid/10844
来源:BUGTRAQ
名称:20040808JavaXSLTsecurityadvisoryaddendum
链接:http://www.securityfocus.com/archive/1/371208
来源:OSVDB
名称:8288
链接:http://www.osvdb.org/8288
来源:SECTRACK
名称:1011661
链接:http://securitytracker.com/id?1011661
来源:SECUNIA
名称:12206
链接:http://secunia.com/advisories/12206
来源:HP
名称:HPSBUX01087
链接:http://groups.google.com/group/comp.security.unix/tree/browse_frm/month/2004-10/fe63f1daa9689d50?rnum=161&_done=%2Fgroup%2Fcomp.security.unix%2Fbrowse_frm%2Fmonth%2F2004-10%3Ffwc%3D1%26#doc_29036353582c690d
来源:HP
名称:HPSBUX01087
链接:http://groups.google.com/group/comp.security.unix/tree/browse_frm/month/2004-10/fe63f1daa9689d50?rnum=161&_done=%2Fgroup%2Fcomp.security.unix%2Fbrowse_frm%2Fmonth%2F2004-10%3Ffwc%3D1%26#doc_29036353582c690d
来源:SUNALERT
名称:57613
链接:http://archive.cert.uni-stuttgart.de/uniras/2004/08/msg00007.html