Security Vulnerability Notice



Similar documents
Security Vulnerability Notice

Fuse MQ Enterprise Broker Administration Tutorials

Google App Engine Java security sandbox bypasses

Open Source Used In Cisco Instant Connect for ios Devices 4.9(1)

FILEMAKER PRO ADVANCED SOFTWARE LICENSE

Java Virtual Machine, JVM

SOFTWARE HOSTING AND SERVICES AGREEMENT

SOFTWARE HOSTING AND SERVICES AGREEMENT PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SERVICES OR WEBSITE. The SuiteCRM website (hereinafter

1. GRANT OF LICENSE. Acunetix Ltd. grants you the following rights provided that you comply with all terms and conditions of this EULA:

LET S ENCRYPT SUBSCRIBER AGREEMENT

FME SOFTWARE LICENSE AGREEMENT

Third Party Software Used In PLEK500 (Utility for Win) v1.x.xx.xxx

Oracle Binary Code License Agreement for the Java SE Platform Products and JavaFX

Application Programming Interface (API) Application (app) - The API app is the connector between epages and the developers service.

BlackBerry Professional Software For Microsoft Exchange Compatibility Matrix January 30, 2009

Mayfair EULA for Journal Office

System Center Virtual Machine Manager 2012 R2 Plug-In. Feature Description

CITRIX SYSTEMS, INC. SOFTWARE LICENSE AGREEMENT

SAMPLE RETURN POLICY

Jozii LLC WEBSITE TERMS OF SERVICE

Log Insight Manager. Deployment Guide

REPAIRING THE "ORACLE VM VIRTUALBOX" VIRTUAL MACHINE PROGRAM

Terms of Use The Human Face of Big Data Website

Checking Access to Protected Members in the Java Virtual Machine

BlackBerry Business Cloud Services. Version: Release Notes

Dennemeyer & Associates Terms and Conditions for Trademark Clearinghouse Services

Release Notes. BlackBerry Web Services. Version 12.1

Collaboration Agreement

ZIMPERIUM, INC. END USER LICENSE TERMS

LET S ENCRYPT SUBSCRIBER AGREEMENT

Pervasive Software Inc. Pervasive PSQL v11 Insurance License Agreement

GitLab.com Terms GITLAB.COM TERMS

Compatibility Matrix March 05, 2010

Spotlight Management Pack for SCOM

Self Help Guides. Setup Exchange with Outlook

SUBSCRIPTION SERVICES.

MAGNAVIEW SOFTWARE SUPPORT & MAINTENANCE. TERMS & CONDITIONS September 3, 2015 version

TERMS AND CONDITIONS

formerly Help Desk Authority Quest Free Network Tools User Manual

Mobile Banking Service Agreement (Addendum to your Primary Online Banking Service Agreement)

MERCHANT SERVICES and LICENSE AGREEMENT License Grant. FDMS' Rights. Term. New Services.

Ethical Hacking and Countermeasures Training Program. Page 1. EC-Council

RELEASE NOTES TABLE OF CONTENTS: SOFTWARE OVERVIEW DESCRIPTION OF GENEMAPPER ID-X SOFTWARE HOTFIX_

Open Source Used In Cisco D9865 Satellite Receiver Software Version 2.20

BACKUPPRO TERMS OF USE AND END USER LICENSE AGREEMENT

BNSync User License Agreement

GEO Sticky DNS. GEO Sticky DNS. Feature Description

BlackBerry IT Policy Manager Research In Motion

BROCADE COMMUNICATIONS SYSTEMS, INC. END USER SOFTWARE LICENSE AGREEMENT FOR BROCADE IP ANALYTICS PACK FOR VMWARE VREALIZE OPERATIONS

Object Level Authentication

END USER LICENSE AGREEMENT

Self Help Guides. Create a New User in a Domain

RSA Two Factor Authentication. Feature Description

MICROSOFT COMMERCIAL TERMS OF USE FOR WINDOWS 10 IoT CORE RUNTIME IMAGE

Oracle Solaris Studio Code Analyzer

End User License Agreement Easygenerator

Activelock Customer Management 1.0

How To Use Merrimack Web Site

Port Following. Port Following. Feature Description

For Use of Source Code Developed By The Florida Department of Transportation

Installing the Shrew Soft VPN Client

TERMS and CONDITIONS OF USE - NextSTEPS TM

Compatibility Matrix. BlackBerry Enterprise Server for Microsoft Exchange. Version 5.0.4

PLEASE READ THESE TERMS AND CONDITIONS OF USE CAREFULLY. THESE TERMS AND CONDITIONS MAY HAVE CHANGED SINCE USER S LAST VISIT TO THIS SITE.

.uk Registration Agreement

B. Terms of Agreement; Google Terms of Service; Conflicting Provisions

Evoqua Water Technologies LLC. ( Evoqua )

OpenDJ LDAP SDK Release Notes

Release Notes for Version

NetSuite End User License Agreement for Mobile Applications

Hyper V Windows 2012 and 8. Virtual LoadMaster for Microsoft Hyper V on Windows Server 2012, 2012 R2 and Windows 8. Installation Guide

BlackBerry Enterprise Server Express. Version: 5.0 Service Pack: 4. Update Guide

1. GRANT OF LICENSE. Formdocs LLC grants you the following rights provided that you comply with all terms and conditions of this EULA:

PointCentral Subscription Agreement v.9.2

RSA Two Factor Authentication

GlaxoSmithKline Single Sign On Portal for ClearView and Campaign Tracker - Terms of Use

PeopleSoft Red Paper Series. E-Learning. By: Gregory Sandford, Benjamin Harr, Leo Popov May 2006

TECHILA INTERCONNECT END-USER GUIDE

R&S TSMW Radio Network Analyzer Open Source Acknowledgment

Pulse Redundancy. User Guide

WE RECOMMEND THAT YOU PRINT OUT AND KEEP A COPY OF THIS AGREEMENT FOR YOUR FUTURE REFERENCE.

Compatibility Matrix BES10. April 27, Version 10.2 and later

BlackBerry Enterprise Server Resource Kit BlackBerry Analysis, Monitoring, and Troubleshooting Tools Version: 5.0 Service Pack: 2.

Dell Spotlight on Active Directory Server Health Wizard Configuration Guide

VATSIM USER AGREEMENT

MySeoNetwork Reseller Agreement -Revised June 2, (800) ; (410)

Simple DCP Terms of Service

BlackBerry Enterprise Server Express for IBM Domino. October 7, 2014 Version: 5.0 Service Pack: 4. Compatibility Matrix

HTTP Client Installation Guide Version 9

BlackBerry Enterprise Server Wireless Software Upgrades Version: 4.1 Service Pack: 7. Administration Guide

RSA Data Security, Inc. Portions derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm.

BlackBerry Mobile Conferencing

HYBRID SOLUTIONS INDEPENDENT SOFTWARE VENDOR AGREEMENT

Sun Microsystems, Inc. ("Sun") ENTITLEMENT for SOFTWARE. Licensee/Company: Entity receiving Software.

Java and Java Virtual Machine Security

Transcription:

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in Java SE, Issue 54]

DISCLAIMER INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW NEITHER SECURITY EXPLORATIONS, ITS LICENSORS OR AFFILIATES, NOR THE COPYRIGHT HOLDERS MAKE ANY REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR THAT THE INFORMATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS, TRADEMARKS, OR OTHER RIGHTS. THERE IS NO WARRANTY BY SECURITY EXPLORATIONS OR BY ANY OTHER PARTY THAT THE INFORMATION CONTAINED IN THE THIS DOCUMENT WILL MEET YOUR REQUIREMENTS OR THAT IT WILL BE ERROR-FREE. YOU ASSUME ALL RESPONSIBILITY AND RISK FOR THE SELECTION AND USE OF THE INFORMATION TO ACHIEVE YOUR INTENDED RESULTS AND FOR THE INSTALLATION, USE, AND RESULTS OBTAINED FROM IT. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL SECURITY EXPLORATIONS, ITS EMPLOYEES OR LICENSORS OR AFFILIATES BE LIABLE FOR ANY LOST PROFITS, REVENUE, SALES, DATA, OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, PROPERTY DAMAGE, PERSONAL INJURY, INTERRUPTION OF BUSINESS, LOSS OF BUSINESS INFORMATION, OR FOR ANY SPECIAL, DIRECT, INDIRECT, INCIDENTAL, ECONOMIC, COVER, PUNITIVE, SPECIAL, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND WHETHER ARISING UNDER CONTRACT, TORT, NEGLIGENCE, OR OTHER THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS DOCUMENT, EVEN IF SECURITY EXPLORATIONS OR ITS LICENSORS OR AFFILIATES ARE ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS PUBLICATION COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS.

VULNERABILITY DETAILS Security Explorations discovered a security vulnerability in Java SE Platform, Standard Edition. A table below, presents its technical summary: ISSUE TECHNICAL DETAILS # 54 origin java.lang.invoke.methodhandles cause The lack of security checks in a family of MethodHandle resolving methods impact Access to protected members of arbitrary classes type partial security bypass vulnerability Issue 54 stems from the fact that certain MethodHandle lookup methods (resolvevirtual, resolvestatic, etc.) of java.lang.invoke.methodhandles class do not invoke the checksecuritymanager method during target class member resolution process. This is clearly visible when arbitrary find and resolve methods corresponding to a given MethodHandle lookup operation are compared as in the case of findvirtual and resolvevirtual methods denoted below: public MethodHandle findvirtual(class class1, String s, MethodType methodtype) throws NoSuchMethodException, IllegalAccessException { MemberName membername = resolveorfail(class1, s, methodtype, false); checksecuritymanager(class1, membername); this call is missing below Class class2 = findboundcallerclass(membername); return accessvirtual(class1, membername, class2); private MethodHandle resolvevirtual(class class1, String s, MethodType methodtype) throws NoSuchMethodException, IllegalAccessException { MemberName membername = resolveorfail(class1, s, methodtype, false); return accessvirtual(class1, membername, lookupclass); The above indicates the lack of a security check in resolvevirtual method. Although, this method is private and is not invoked by any publicly available API method, it may be still called by the Java VM during Class file parsing. This is in particular done whenever MethodHandle entries are encountered in a target Class file s ConstantPool. For the purpose of our Proof of Concept code we generate a specially crafted MyCL class file containing a MethodHandle reference to defineclass method of java.lang.classloader class in its ConstantPool. A dump of the resulting file is provided below: public class MyCL extends java.lang.classloader SourceFile: "MyCL.java" minor version: 0 major version: 51 flags: ACC_PUBLIC, ACC_SUPER Constant pool: #1 = Methodref #5.#16 // java/lang/classloader."<init>":()v #2 = Methodref #5.#17 // java/lang/classloader.defineclass:(ljava/lang/string;[biiljava/security/protectiond omain;)ljava/lang/class;

#3 = String #10 // dummy #4 = Class #18 // MyCL #5 = Class #19 // java/lang/classloader #6 = Utf8 <init> #7 = Utf8 ()V #8 = Utf8 Code #9 = Utf8 LineNumberTable #10 = Utf8 dummy #11 = Utf8 (Ljava/lang/String;[BIILjava/security/ProtectionDomain;)V #12 = Utf8 get_defineclass_mh #13 = Utf8 ()Ljava/lang/Object; #14 = Utf8 SourceFile #15 = Utf8 MyCL.java #16 = NameAndType #6:#7 // "<init>":()v #17 = NameAndType #20:#21 // defineclass:(ljava/lang/string;[biiljava/security/protectiondomain;)ljava/lang/clas s; #18 = Utf8 MyCL #19 = Utf8 java/lang/classloader #20 = Utf8 defineclass #21 = Utf8 (Ljava/lang/String;[BIILjava/security/ProtectionDomain;)Ljava/lang/Class; #22 = MethodHandle #5:#2 // invokevirtual java/lang/classloader.defineclass:(ljava/lang/string;[biiljava/security/protectiond omain;)ljava/lang/class; ConstantPool at index 22 contains the MethodHandle entry which will be successfully resolved with the use of the resolvevirtual method during Class file parsing. This can be accomplished due to the missing security checks in the abovementioned method. IMPACT Described Issue 54 is not sufficient to implement a functional and successful attack code in the environment of Java SE 7. Security Explorations discovered another issue (number 55) affecting Oracle s Java SE 7 that allows to do this. Issues 54 and 55, when combined together can be used to successfully achieve a complete Java security sandbox bypass in a target system. Proof of Concept code illustrating the impact of both vulnerabilities has been successfully tested in the environment of Java SE 7 Update 15 and Java SE 7 Update 17. VENDOR S RESPONSE On Feb 25 2013, Security Explorations sent a vulnerability notice to Oracle containing detailed information about two discovered vulnerabilities (Issues 54 and 55). Along with that, the company was also provided with source and binary codes for a Proof of Concept codes illustrating the impact of both security issues found. On Feb 27, 2013 Oracle provided the results of its assessment and informed that Issue 54 was not treated as a vulnerability as it demonstrated the "allowed behavior". Company s denial of the issue as a security bug was made on the following basis: "obtaining a method handle for a protected method from a superclass is allowed behavior" Security Explorations didn t agree with the above assessment and on the same day provided its counterarguments to Oracle. We indicated that Issue 54 abused the missing security

manager check in resolvevirtual method in order to gain access to method handle objects of certain security sensitive classes such as Class Loaders. In our Proof of Concept code, we were able to access Method Handle object pointing to defineclass method of java.lang.classloader class. Oracle claimed that accessing a protected member such as a Method Handle from a superclass is an allowed behavior. This is not true as demonstrated by the code below: public class MyCL extends ClassLoader { public static void test() { try { MethodHandles.Lookup l=methodhandles.lookup(); System.out.println("lookup: "+l.lookupclass()+"/"+l.lookupmodes()); Class ctab[]=new Class[5]; ctab[0]=java.lang.string.class; ctab[1]=(new byte[0]).getclass(); ctab[2]=integer.type; ctab[3]=integer.type; ctab[4]=java.security.protectiondomain.class; MethodType desc=methodtype.methodtype(java.lang.class.class,ctab); MethodHandle mh=l.findvirtual(java.lang.classloader.class,"defineclass",desc); System.out.println(mh); catch(throwable t) { t.printstacktrace(); The above code does exactly the same thing as a code sequence we use in our Proof of Concept code. The only difference is in the method that gets called at the time of Method Handle resolution (here findvirtual, in our PoC this is resolvevirtual). The above code tries to access a protected member (defineclass Method Handle) from the subclass of the class that declares that member. However, contrary to Oracle s claim such an access is not allowed. It is blocked by the checksecuritymanager method: Security manager = sun.plugin2.applet.awtappletsecuritymanager@c3cae5 lookup: class MyCL/15 java.security.accesscontrolexception: access denied ("java.lang.runtimepermission" "accessdeclaredmembers") at java.security.accesscontrolcontext.checkpermission(unknown Source) at java.security.accesscontroller.checkpermission(unknown Source) at java.lang.securitymanager.checkpermission(unknown Source) at java.lang.securitymanager.checkmemberaccess(unknown Source) at java.lang.invoke.methodhandles$lookup.checksecuritymanager(unknown Source) at java.lang.invoke.methodhandles$lookup.findvirtual(unknown Source) at MyCL.test(MyCL.java:39) at BlackBox.<init>(BlackBox.java:31)... The above result is consistent with Java SE documentation [1] describing Security Manager interactions conducted at the time of member lookup operations:

"If a security manager is present, member lookups are subject to additional checks." "If the retrieved member is not public, smgr.checkmemberaccess(defc,member.declared) is called." We also indicated to Oracle that even partially initialized Class Loader instances are not allowed in Java SE and that core Reflection API does not allow access to protected members of system classes, unless access to declared members is granted. On 05 Mar 2013, Oracle informed us that it was continuing to evaluate Security Explorations' arguments regarding Issue 54. The company provided the following background for its analysis: The rules controlling runtime reflection are different from the resolution of a method handle in a class file constant pool (see [2], [3] for details). The two methods of obtaining method handles (via constant pool and reflection) have different models for when access checks are applied. For the constant pool case, the JVM applies the access control checks that are consistent for all forms of constant pool resolution. If a valid class file can contain an invokespecial (or other invoke instruction) for a method, then a method handle for that method is allowed in the constant pool. In your report #54, there is an invokespecial for: Method java/lang/classloader.defineclass:(ljava/lang/string;[biiljava/security/protectiondomain;)l java/lang/class; in MyCL.class, and thus a method handle for the same method is allowed. If this method were package private or private, the modified class would throw an IncompatibleClassChangeError at load time. While the two systems parallel one another, their behavior is different. What s important to note is that the above background includes arguments for the allowed behavior again. This time this is however done in a context of JVM specification and Constant Pool resolution. On Mar 11 2013, we asked Oracle about the final evaluation of Issue 54. In a response, the company informed us that it was still continuing to evaluate it. As of Mar 18, 2013 we have no information that the company treats the issue as a security vulnerability. FINAL WORDS Security Explorations believes that 3 weeks (from Feb 25 to Mar 18) constitutes enough time for a major software vendor to be able to deliver a final confirmation or denial of a reported security issue. This especially concerns a vendor that has been a subject of a considerable criticism regarding competent and prompt handling of security vulnerabilities in its software. Security Explorations does not agree with Oracle s arguments and reasoning provided so far with respect to Issue 54. A general rule in security is that same circumstances / constraints should lead to consistent (same, not different) security access related decisions. In case of Issue 54, resolving protected members of superclasses should be either always allowed or denied for all code paths available to untrusted code (irrespective whether a member is

resolved with the use of a public API or internally by the Java VM operating on behalf of an untrusted code). Security Explorations is not aware of any other way to obtain a Method Handle to the protected member of java.lang.classloader class that would not be the outcome of a security vulnerability. Security Explorations failed to launch a successful Java security sandbox bypass scenario upon access to defineclass Method Handle obtained with the use of a different vulnerability (Issue 57). That contradicts the claim that Issue 54 is the allowed behavior. It also contradicts an indirect conclusion that Issue 55 is alone sufficient to launch the attack demonstrated to the company. Our tests indicate that Issue 55 can be combined with a Method Handle object obtained with the use of Issue 54 only. If Oracle sticks to the allowed behavior scenario, in order to maintain proper consistency of security checks in Java SE, the company should relax some of security checks present in Reflection API code and apply proper changes to Java SE documentation [1] as well. The alternative is to admit to the fault regarding the evaluation of Issue 54 and begin to treat it as a security vulnerability being the result of inconsistent security design of new Reflection API (no security checks enforced by JVM specification during Method Handles resolution [2][3]). REFERENCES [1] Class MethodHandles.Lookup, Security manager interactions http://docs.oracle.com/javase/7/docs/api/java/lang/invoke/methodhand les.lookup.html#secmgr [2] The Java Virtual Machine Specification, The CONSTANT_MethodHandle_info Structure http://docs.oracle.com/javase/specs/jvms/se7/html/jvms-4.html#jvms- 4.4.8 [3] The Java Virtual Machine Specification, Method Type and Method Handle Resolution http://docs.oracle.com/javase/specs/jvms/se7/html/jvms-5.html#jvms- 5.4.3.5 About Security Explorations Security Explorations (http://www.security-explorations.com) is a security startup company from Poland, providing various services in the area of security and vulnerability research. The company came to life in a result of a true passion of its founder for breaking security of things and analyzing software for security defects. Adam Gowdiak is the company's founder and its CEO. Adam is an experienced Java Virtual Machine hacker, with over 50 security issues uncovered in the Java technology over the recent years. He is also the hacking contest co-winner and the man who has put Microsoft Windows to its knees (vide MS03-026). He was also the first one to present successful and widespread attack against mobile Java platform in 2004.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information