Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24974
HistoryOct 24, 2010 - 12:00 a.m.

Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass

2010-10-2400:00:00
vulners.com
30

( , ) (,
. `.' ) ('. ',
). , ('. ( ) (
(,) .`), ) _ ,
/ _/ / _ \ ____ ____ _____
\
\==/ /
\ \ / \/ _ \ / \
/ \/ | \\ \
( <
> ) Y Y \
/
____ /\| / \__ >___/|__|| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_='`"``=.

            presents..

Oracle JRE - java.net.URLConnection class –
Same-of-Origin (SOP) Policy Bypass

PDF: http://www.security-assessment.com/files/advisories/Oracle_JRE_java_net_urlconnection_SOP_Bypass.pdf
CVE Identifier: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3573

±----------+
|Description|
±----------+

Security-Assessment.com discovered that a Java Applet
making use of java.net.URLConnection class can be used
to bypass same-of-origin (SOP) policy and domain based
security controls in modern browsers when communication
occurs between two domains that resolve to the same IP
address. This advisory includes a Proof-of-Concept
(PoC) demo and a Java Applet source code, which
demonstrates how this security can be exploited to leak
cookie information to an unauthorised domain, which
resides on the same host IP address.

±-----------+
|Exploitation|
±-----------+

The Flash movie demo can be viewed at the following
link:

http://www.security-assessment.com/files/advisories/java_net_urlconnection_sop_bypass_demo.swf

Proof of Concept (PoC) in demo demonstrates that a
Cross Site Request Forgery (XSRF) attack can be leveraged
by using a Java Applet which implements the
java.net.URLConnection class. Traditionally, XSRF is used
to force a user to perform an unwanted action on a target
web site. In this case, the PoC shows that XSRF can be
used to capture sensitive information such as cookie
associated to a target web site.

The following assumptions are made in this PoC:

  1. Virtual hosts www.targetsite.net and
    www.badsite.com resolve to the same IP address;

  2. Malicious user controls www.badsite.com web site;

  3. Malicious user targets www.targetsite.net users.

The following list summarises the sequence of actions
shown in the demo:

  1. User has a valid cookie for www.targetsite.net

  2. The same user visits www.badsite.com which performs
    a cross site forged request to www.targetsite.net .
    The forged request is performed by a Java Applet
    embedded on the malicious site. The Java Applet
    bypasses the Same-of-Origin policy as an unsigned Java
    Applet should not be able to communicate
    from www.badsite.com to www.targetsite.net without
    a crossdomain.xml policy file.

  3. Java Applet performs first GET request to
    www.targetsite.net. At this stage, the Java Applet
    controls the Cookie: header sent to www.targetsite.net
    through the getRequestProperty("cookie") method.
    This is in breach with SOP.

  4. A second request is done for the purpose
    of the demo which leaks www.targetsite.net
    cookie’s to www.badsite.com via an HTTP GET
    request.

Testing was successfully performed using Java(TM)
SE Runtime Environment (build 1.6.0_21-b07) and the
following browsers:

  • Mozilla Firefox 3.5.8 (Windows XP)
  • Opera 10.60 (Windows XP)
  • Internet Explorer 6.0.2900.5512 (Windows XP)
  • Google Chrome 5.0.375.9 (Windows XP)
  • Internet Explorer 8.0.6001.18702 (Windows XP)
  • Safari 5.0 (7533.16) (Windows XP)

The Java Applet source code used in the demo can be
downloaded at the following link:

http://www.security-assessment.com/files/advisories/MaliciousJavaApplet.zip

±-------+
|Solution|
±-------+

Security-Assessment.com follows responsible disclosure
and promptly contacted Oracle after discovering
the issue. Oracle was contacted on August 1,
2010.

Oracle has created a fix for this vulnerability which
has been included as part of Critical Patch Update
Advisory - October 2010. Security-Assessment.com
recommends all users of JRE and JDK to upgrade to
the latest version as soon as possible.

For more information on the new release of JRE/JDK
please refer to the link:

http://www.oracle.com/technetwork/java/javase/downloads/index.html

±-----+
|Credit|
±-----+

Discovered and advised to Oracle
August 2010 by Roberto Suggi Liverani of
Security-Assessment.com.

Personal site: http://malerisch.net

±----+
|Extra|
±----+

Another interesting attack was discovered as part
of the research on this vulnerability.
This attack is another example of leveraging XSRF
with the potential of leaking cookie, basic and digest
authentication tokens using Java Applet and the
"Compability with older browser" feature in
Apache Web Server.

For a PDF version of this research please follow the link below:

http://www.security-assessment.com/files/whitepapers/Leveraging_XSRF_with_Apache_Web_Server_Compatibility_with_older_browser_feature_and_Java_Applet.pdf

±----------------------------+
|About Security-Assessment.com|
±----------------------------+

Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Kingdom.

Roberto Suggi Liverani