Java XSLT security advisory addendum

2004-08-10T00:00:00
ID SECURITYVULNS:DOC:6593
Type securityvulns
Reporter Securityvulns
Modified 2004-08-10T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

============================================ Illegalaccess.org security advisory addendum ============================================

Vendor informed: April, 2004

Public Advisory released: August 2, 2004

Today: August 9, 2004

URL: http://www.illegalaccess.org

Original advisory: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57613

Threat: In all versions of JDK 1.4.x a vulnerability exists that allows to juggle XSLT processing classes inside the JVM that enable entities to sniff XML data that is processed with the XSLT processor anywhere is the same JVM. We called this technique "XML sniffing" and is based on covert channels. The paper "Antipatterns in JDK security and refactorings" presented at DIMVA 2004 (Dortmund, Germany, 7th of July 2004) shows the general principle of covert channels between distinct java protection domains.

Scope: In addition to the Sun Advisory all boundaries between java protection domains can be traversed by XML sniffing. The threat is NOT LIMITED TO APPLETS, so in a web server environment an unprivileged servlet may inject hook code in the XSLT processor management data structures that sniffs the XML data which is processed by the XSLT processor throughout the whole tomcat or j2ee server and finally passes it back to the injector class. As well may an unprivileged application started by Java Webstart sniff XML data loaded from a signed application, when executing XSLT operations. This should be taken into account when processing confident data with JDK 1.4 based software. Short: Any unprivileged class in the JVM may sniff all XML passing through the XSLT processor.

Details & Exploit: A detailed description of the framework that allows detection of those covert channels and PoC code that demonstrates the flaw in detail will be included in an upcoming paper, and in my upcoming PhD thesis at Bamberg university. So be sure to preorder a signed copy of the thesis:-)

Sincerely Marc Schoenefeld


Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (AIX)

iD8DBQFBFrN9qCaQvrKNUNQRAn+VAJwI72zwrvZEiDGrjxrKKAHFC9KMrACbB8ch mofWFyw0U4ImrPgZb4kk3bY= =0ZEy -----END PGP SIGNATURE-----