Nytro Posted July 21, 2013 Report Posted July 21, 2013 [sE-2012-01] New Reflection API affected by a known 10+ years old attackFrom: Security Explorations <contact () security-explorations com>Date: Thu, 18 Jul 2013 06:50:30 +0200Hello All,We discovered yet another indication that new Reflection API introducedinto Java SE 7 was not a subject to a thorough security review (if any).A new vulnerability (Issue 69) that was submitted to Oracle today makesit possible to implement a very classic attack against Java VM. What'sin particular interesting is that the attack itself has been in the publicknowledge for at least 10+ years [1]. It's one of those risks one shouldprotect against in the first place when new features are added to Java atthe core VM level. The more surprising it is to discover that ReflectionAPI introduced to Java SE 7 didn’t implement proper protection againstthis attack.Our Proof of Concept code for Issue 69 was confirmed to work with flyingcolors under Java SE 7 Update 25 (1.7.0_25-b16) and below. The code allowsto violate a fundamental feature of Java VM security - the safety of itstype system. As a result, a complete and reliable Java security sandboxbypass can be gained on a vulnerable instance of Oracle's Java SE software.Oracle's blog post published on May 30, 2013 [2] implies that maintainingthe security-worthiness of Java has been Oracle’s priority following theacquisition of Sun Microsystems. Oracle's VP goes even further by indicatingthat "acquired product lines [such as Java SE] were required to conform toOracle policies and procedures, including those comprising Oracle SoftwareSecurity Assurance" [3].If Oracle had any Software Security Assurance procedures adopted for JavaSE, most of simple Reflection API flaws along with a known, 10+ years oldattack should have been eliminated prior to Java SE 7 release. This didn'thappen, thus it is reasonable to assume that Oracle's security policies andprocedures are either not worth much or their implementation is far fromperfect. That thought alone should catch attention of Oracle customers notnecessarily relying on Java SE, but rather on other Oracle products, whichwere likely the subject to the very same, questionable Software SecurityAssurance policies and procedures as Java SE 7.--As for other things, we released technical details and Proof of Conceptcode for a previously reported security vulnerability (Issue 61) that gotfixed by Oracle's Java SE CPU in Jun 2013:http://www.security-explorations.com/materials/SE-2012-01-ORACLE-12.pdfhttp://www.security-explorations.com/materials/se-2012-01-61.zipWe also released technical details and Proof of Concept codes for several(9 in total) IBM Java flaws that were addressed by the company in earlyJul 2013:http://www.security-explorations.com/materials/SE-2012-01-IBM-2.pdfhttp://www.security-explorations.com/materials/se-2012-01-62-68.zipThe above includes details of trivially broken fixes for vulnerabilitiesreported to IBM in Sep 2012 (Issues 35-37 and 49). One of the issues isalso a nice illustration of the "allowed behavior" (Issue 54) for otherthan Oracle's Java VM implementations.Finally, we published information (and some comment) about CVE numbersassigned by Oracle to vulnerabilities reported by Security Explorationsas part of SE-2012-01 project:http://www.security-explorations.com/materials/SE-2012-01-CVE_Map.pdfThank you.Best RegardsAdam Gowdiak---------------------------------------------Security ExplorationsSecurity Explorations"We bring security research to the new level"---------------------------------------------References:[1] Java and Java VM security vulnerabilities and their exploitation techniques, Last Stage of Delirium Research Group, Welcome to LSD-PLaNET[2] Maintaining the security-worthiness of Java is Oracle’s priorityhttps://blogs.oracle.com/security/entry/maintaining_the_security_worthiness_of[3] Oracle Software Security Assurance Importance of Software Security Assurance_______________________________________________Full-Disclosure - We believe in it.Charter: [Full-Disclosure] Mailing List CharterHosted and sponsored by Secunia - Computer Security - Software & Alerts - SecuniaSursa: Full Disclosure: [sE-2012-01] New Reflection API affected by a known 10+ years old attack Quote
