Next Page >>
applet
Abstract
------------------------------------------------------------------------
Akamai's Download Manager allows attackers to download arbitrary
files onto a user's desktop. Using a so-called "blended
threat" attack it is possible to execute arbitrary code. This
attack affects the ActiveX control as well as the Java applet.
------------------------------------------------------------------------
Tested version
------------------------------------------------------------------------
This issue was tested on Akamai Download Manager version 2.2.4.8 using
>
> +-----------+
> |Description|
> +-----------+
>
> Security-Assessment.com discovered that a Java Applet
> making use of java.net.URLConnection class can be used
> to bypass same-of-origin (SOP) policy and domain based
> security controls in modern browsers when communication
> occurs between two domains that resolve to the same IP
> address. This advisory includes a Proof-of-Concept
+-----------+
|Description|
+-----------+
Security-Assessment.com discovered that a Java Applet
making use of java.net.URLConnection class can be used
to bypass same-of-origin (SOP) policy and domain based
security controls in modern browsers when communication
occurs between two domains that resolve to the same IP
address. This advisory includes a Proof-of-Concept
I came to this result when I was looking into a way of exploiting the
Apache Web Server "Compatibility with older browser feature". A separate
paper has been published here:
http://www.security-assessment.com/files/whitepapers/Leveraging_XSRF_with_Apache_Web_Server_Compatibility_with_older_browser_feature_and_Java_Applet.pdf
Interestingly enough, I got the idea of using Java Applet to achieve the
attack described above after I bumped into the following from your
browser security handbook
apologies for the delay -- John Heasman
=======
Summary
=======
Name: Untrusted Java applet can connect to localhost
Release Date: 29 October 2007
Reference: NGS00443
Discover: John Heasman <john@ngssoftware.com>
Vendor: Sun Microsystems
Systems Affected: JDK and JRE 6 Update 1 and earlier, JDK and JRE 5.0
SEC Consult Vulnerability Lab Security Advisory < 20110810-0 >
=======================================================================
title: Client-side remote file upload & command execution
product: Check Point SSL VPN On-Demand applications (signed
Java applet and ActiveX control)
* SSL Network Extender (SNX)
* SecureWorkSpace
* Endpoint Security On-Demand
supplied by Check Point Connectra or other security
gateways
SEC Consult Security Advisory < 20081016-0 >
========================================================================
title: Remote command execution in Instant Expert
Analysis signed Java applet and signed ActiveX
control
program: Instant Expert Analysis
vendor: Husdawg, LLC
impact: Critical
homepage: http://www.systemrequirementslab.com
found: 2008-04-19
update handles this issue by completely disabling MD2 for certificate
validation in OpenJDK. (CVE-2009-2409)
It was discovered that ICC profiles could be identified with
".." pathnames. If a user were tricked into running a specially
crafted applet, a remote attacker could gain information about a local
system. (CVE-2009-3728)
Peter Vreugdenhil discovered multiple flaws in the processing of graphics
in the AWT library. If a user were tricked into running a specially
crafted applet, a remote attacker could crash the application or run
____________________________________________________________________________
____
Vendor: Jscape, http://www.jscape.com/
Affected Products: Jscape Secure FTP Applet
http://www.jscape.com/sftpapplet/index.html
Vulnerability: SSH Host key is not verified allowing
man-in-the-middle attacks
Risk: Medium
____________________________________________________________________________
correctly check certain lengths. If an attacker sent a truncated
HMAC, it could bypass authentication, leading to potential privilege
escalation. (CVE-2009-0217)
It was discovered that certain variables could leak information. If a
user were tricked into running a malicious Java applet, a remote attacker
could exploit this gain access to private information and potentially
run untrusted code. (CVE-2009-2475, CVE-2009-2690)
A flaw was discovered the OpenType checking. If a user were tricked
into running a malicious Java applet, a remote attacker could bypass
window and when the user clicks the "Start AnyConnect" link, the
process of downloading the Cisco AnyConnect Secure Mobility Client
begins. This action causes the browser to first download a "helper"
application that aids in downloading and executing the actual Cisco
AnyConnect Secure Mobility Client. The helper application is a Java
applet on the Linux and MacOS X platforms, and either a Java applet
on the Windows platform or an ActiveX control if the browser is
capable of utilizing ActiveX controls. The downloaded helper
application is executed in the context of the originating site in the
user's web browser. The helper application then downloads the Cisco
AnyConnect Secure Mobility Client from the VPN headend and executes
-- Vulnerability Details:
This vulnerability allows remote attackers to violate security policies
on vulnerable installations of Sun Java Runtime. User interaction is
required to exploit this vulnerability in that the target must run a
malicious applet.
The specific flaw allows malicious applets to connect to network
addresses other than the originating applet and client IPs. A
handcrafted applet can override compile time checks to prevent
compilation of a mutable InetAddress subclass. This results in the
NSFOCUS Security Advisory (SA2009-02)
IBM DB2 JDBC Applet Server Remote DoS Vulnerability
Release Date: 2009-10-16
CVE ID: CVE-2009-2971
http://www.nsfocus.com/en/advisories/0902.html
____________________________________________________________________________
____
Vendor: Jscape, http://www.jscape.com/
Affected Products: Jscape Secure FTP Applet
http://www.jscape.com/sftpapplet/index.html
Vulnerability: SSH Host key is not verified allowing for Man in the
Middle
attacks
Risk: High
ZDI-08-081: Sun Java Web Start and Applet Multiple Sandbox Bypass
Vulnerabilities
http://www.zerodayinitiative.com/advisories/ZDI-08-081
December 4, 2008
-- Affected Vendors:
Sun Microsystems
-- Affected Products:
Sun Microsystems Java Runtime
A flaw in the Xerces2 as used in OpenJDK allows remote attackers to
cause denial of service via a malformed XML input (CVE-2009-2625).
The audio system does not prevent access to java.lang.System properties
either by untrusted applets and Java Web Start applications, which
allows context-dependent attackers to obtain sensitive information
by reading these properties (CVE-2009-2670).
A flaw in the SOCKS proxy implementation allows remote attackers
to discover the user name of the account that invoked either an
Hi all and sorry for cross post,
after several months since I contacted Oracle informing them about ten
issues on Java applet security, they finally released an Java 6 update
22 which fixes several security issues
In particular the issues are the following, sorted by impact:
* Information Disclosure:
- 17364779 NETWORKINTERFACE HASHCODE PROBLEM
- 17322679 JAVA APPLET DNS IP DISCLOSURE
Machine (JVM) allows remote attackers to cause denial of service
(CVE-2006-2426).
An integer overflow flaw was found in Pulse-Java when handling Pulse
audio source data lines. An attacker could use this flaw to cause an
applet to crash, leading to a denial of service (CVE-2009-0794).
A flaw in Java Runtime Environment initialized LDAP connections
allows authenticated remote users to cause denial of service on the
LDAP service (CVE-2009-1093).
Machine (JVM) allows remote attackers to cause denial of service
(CVE-2006-2426).
An integer overflow flaw was found in Pulse-Java when handling Pulse
audio source data lines. An attacker could use this flaw to cause an
applet to crash, leading to a denial of service (CVE-2009-0794).
A flaw in Java Runtime Environment initialized LDAP connections
allows authenticated remote users to cause denial of service on the
LDAP service (CVE-2009-1093).
ProgId: MANAGER.DLMCtrl.1.
File: C:\Windows\Downloaded Program Files\DownloadManagerV2.ocx
The Java version has the following identifiers:
Class: com.akamai.dm.ui.applet.DMApplet.class
JAR: dlm-java-2.2.2.0.jar
This problem specifically exists due to two undocumented object
parameters. By using these parameters, it is possible to cause Download
Manager to automatically download and execute arbitrary binaries from
- Loader-constraint table allows arrays instead of only the b
ase-classes (CVE-2010-0082).
- Policy/PolicyFile leak dynamic ProtectionDomains. (CVE-2010-0084).
- File TOCTOU deserialization vulnerability (CVE-2010-0085).
- Inflater/Deflater clone issues (CVE-2010-0088).
- Unsigned applet can retrieve the dragged information before drop
action occurs (CVE-2010-0091).
- AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error
(CVE-2010-0092).
- System.arraycopy unable to reference elements beyond
Integer.MAX_VALUE bytes (CVE-2010-0093).
at the beginning of the user's session. (CVE-2009-3555)
It was discovered that Loader-constraint table, Policy/PolicyFile,
Inflater/Deflater, drag/drop access, and deserialization did not correctly
handle certain sensitive objects. If a user were tricked into running a
specially crafted applet, private information could be leaked to a remote
attacker, leading to a loss of privacy. (CVE-2010-0082, CVE-2010-0084,
CVE-2010-0085, CVE-2010-0088, CVE-2010-0091, CVE-2010-0094)
It was discovered that AtomicReferenceArray, System.arraycopy,
InetAddress, and HashAttributeSet did not correctly handle certain
======================================================================
Secunia Research 12/06/2009
- Mozilla Firefox Java Applet Loading Vulnerability -
======================================================================
Table of Contents
Affected Software....................................................1
ZDI-11-084: Oracle Java Unsigned Applet Applet2ClassLoader Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-084
February 15, 2011
-- CVE ID:
CVE-2010-4452
-- CVSS:
command line options will take precedence over this file.
add -n (No Init) command to RFIDIOtconfig.py - allow modules to run
without hardware
add display of checksum-corrected MRZ to mrpkey.py
add jcop_mifare_access.cap - mifare access applet for JCOP
add jcop_mifare_access.gpsh and target in Makefile for installation of
jcop_mifare_access.cap
add jcopmifare.py test program for JCOP mifare emulation
add display of biometric features on FACE in mrpkey.py
vulnerable installations of Sun's Java Runtime. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page.
The specific flaw exists within the CMM module of the Sun JVM. This
module contains a function readMabCurveData. An applet can indirectly
call this function and provide it with a malicious curv object. The
function trusts the size of the curv element implicitly and copies the
data into a fixed-length stack buffer. Exploitation of this issue can
lead to arbitrary code execution under the context of the user invoking
the applet.
-- Overview --
Sun JRE is described [1] as "the Java APIs, Java Virtual Machine
(HotSpot VM), and other components necessary to run applets and
applications written in the Java programming language".
The software provides a virtualisation layer that allows java
applications to be run across platforms and operating systems. These
java applications can be delivered to the JVM via a number of
------------
Basically, the vulnerability comes from a design flaw. There are two
methods for configuring the printer:
1) Via Browser
When requesting the webpage, a Java applet is downloaded and started.
The applet creates a connection to TCP port 5548 on the printer and
receives the configuration in clear text including the current
administration password.
2) Via OKIMFP Network Setup Tool
Impact
======
A remote attacker could entice a user to open a specially crafted JAR
archive, applet, or Java Web Start application, possibly resulting in
the execution of arbitrary code with the privileges of the user running
the application. Furthermore, a remote attacker could cause a Denial of
Service affecting multiple services via several vectors, disclose
information and memory contents, write or execute local files, conduct
session hijacking attacks via GIFAR files, steal cookies, bypass the
* Chris (Matasano Security) reported that Opera may crash if it is
redirected by a malicious page to a specially crafted address
(CVE-2008-4694).
* Nate McFeters reported that Opera runs Java applets in the context
of the local machine, if that applet has been cached and a page can
predict the cache path for that applet and load it from the cache
(CVE-2008-4695).
* Roberto Suggi Liverani (Security-Assessment.com) reported that
Next Page>>
|
