Next Page >>
applets
Abstract
------------------------------------------------------------------------
Akamai's Download Manager allows attackers to download arbitrary
files onto a user's desktop. Using a so-called "blended
threat" attack it is possible to execute arbitrary code. This
attack affects the ActiveX control as well as the Java applet.
------------------------------------------------------------------------
Tested version
------------------------------------------------------------------------
This issue was tested on Akamai Download Manager version 2.2.4.8 using
>
> +-----------+
> |Description|
> +-----------+
>
> Security-Assessment.com discovered that a Java Applet
> making use of java.net.URLConnection class can be used
> to bypass same-of-origin (SOP) policy and domain based
> security controls in modern browsers when communication
> occurs between two domains that resolve to the same IP
> address. This advisory includes a Proof-of-Concept
apologies for the delay -- John Heasman
=======
Summary
=======
Name: Untrusted Java applet can connect to localhost
Release Date: 29 October 2007
Reference: NGS00443
Discover: John Heasman <john@ngssoftware.com>
Vendor: Sun Microsystems
Systems Affected: JDK and JRE 6 Update 1 and earlier, JDK and JRE 5.0
implementation of the Java platform. This combines the two previous
openjdk-6 advisories, DSA-2311-1 and DSA-2356-1.
CVE-2011-0862
Integer overflow errors in the JPEG and font parser allow
untrusted code (including applets) to elevate its privileges.
CVE-2011-0864
Hotspot, the just-in-time compiler in OpenJDK, mishandled
certain byte code instructions, allowing untrusted code
(including applets) to crash the virtual machine.
# Tested on: Linux, Windows, Mac OS X x86, Mac OS X PPC, Solaris
# CVE : None, yet
Summary
The No Machine NX Web Companion is a Java applet that allows to
download and update the No Machine software from a server. The No
Machine software is used to remotely access computers. The NX Web
Companion is usually used by enterprises to easily deploy a cross
platform client for accessing remote machines.
+-----------+
|Description|
+-----------+
Security-Assessment.com discovered that a Java Applet
making use of java.net.URLConnection class can be used
to bypass same-of-origin (SOP) policy and domain based
security controls in modern browsers when communication
occurs between two domains that resolve to the same IP
address. This advisory includes a Proof-of-Concept
Security issues were identified and fixed in openjdk (icedtea6)
and icedtea-web:
IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start
applications and untrusted Java applets to affect confidentiality
via unknown vectors related to Networking (CVE-2011-3547).
IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start
applications and untrusted Java applets to affect confidentiality,
integrity, and availability, related to AWT (CVE-2011-3548).
I came to this result when I was looking into a way of exploiting the
Apache Web Server "Compatibility with older browser feature". A separate
paper has been published here:
http://www.security-assessment.com/files/whitepapers/Leveraging_XSRF_with_Apache_Web_Server_Compatibility_with_older_browser_feature_and_Java_Applet.pdf
Interestingly enough, I got the idea of using Java Applet to achieve the
attack described above after I bumped into the following from your
browser security handbook
SEC Consult Security Advisory < 20081016-0 >
========================================================================
title: Remote command execution in Instant Expert
Analysis signed Java applet and signed ActiveX
control
program: Instant Expert Analysis
vendor: Husdawg, LLC
impact: Critical
homepage: http://www.systemrequirementslab.com
found: 2008-04-19
SEC Consult Vulnerability Lab Security Advisory < 20110810-0 >
=======================================================================
title: Client-side remote file upload & command execution
product: Check Point SSL VPN On-Demand applications (signed
Java applet and ActiveX control)
* SSL Network Extender (SNX)
* SecureWorkSpace
* Endpoint Security On-Demand
supplied by Check Point Connectra or other security
gateways
SEC Consult Vulnerability Lab Security Advisory < 20111219-0 >
=======================================================================
title: Client-side remote arbitrary file upload
product: SecCommerce SecSigner Java Applet
vulnerable version: 3.5.0 < build 2011/11/12
fixed version: 3.5.0 build
4551E033EB0836D845AF92CA85476821471EFD3F539CDDF89B813F5402FD8C1D
created 2011/11/25
impact: critical
homepage: https://www.seccommerce.de/en/products-en/secsigner.html
SEC Consult Vulnerability Lab Security Advisory < 20111012-0 >
=======================================================================
title: Client-side remote file upload & command execution
product: Microsoft Forefront Unified Access Gateway Remote
Access Agent (signed Java applet)
vulnerable version: 4.0.0.1
fixed version:
CVE number: CVE-2011-1969
impact: critical
homepage:
implementation of the Java SE platform. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2011-0862
Integer overflow errors in the JPEG and font parser allow
untrusted code (including applets) to elevate its privileges.
CVE-2011-0864
Hotspot, the just-in-time compiler in OpenJDK, mishandled
certain byte code instructions, allowing untrusted code
(including applets) to crash the virtual machine.
(CVE-2010-4351).
Unspecified vulnerability in the Java Runtime Environment (JRE)
in Oracle Java SE and Java for Business 6 Update 23 and earlier,
5.0 Update 27 and earlier, and 1.4.2_29 earlier allows remote
untrusted Java Web Start applications and untrusted Java applets to
affect integrity via unknown vectors related to Networking. NOTE: the
previous information was obtained from the February 2011 CPU. Oracle
has not commented on claims from a downstream vendor that this issue
involves DNS cache poisoning by untrusted applets. (CVE-2010-4448)
update handles this issue by completely disabling MD2 for certificate
validation in OpenJDK. (CVE-2009-2409)
It was discovered that ICC profiles could be identified with
".." pathnames. If a user were tricked into running a specially
crafted applet, a remote attacker could gain information about a local
system. (CVE-2009-3728)
Peter Vreugdenhil discovered multiple flaws in the processing of graphics
in the AWT library. If a user were tricked into running a specially
crafted applet, a remote attacker could crash the application or run
required domain name.
CVE-2011-3563
The Java Sound component did not properly check for array
boundaries. A malicious input or an untrusted Java application
or applet could use this flaw to cause Java Virtual Machine to
crash or disclose portion of its memory.
CVE-2011-5035
The OpenJDK embedded web server did not guard against an
excessive number of a request parameters, leading to a denial
ZDI-08-081: Sun Java Web Start and Applet Multiple Sandbox Bypass
Vulnerabilities
http://www.zerodayinitiative.com/advisories/ZDI-08-081
December 4, 2008
-- Affected Vendors:
Sun Microsystems
-- Affected Products:
Sun Microsystems Java Runtime
____________________________________________________________________________
____
Vendor: Jscape, http://www.jscape.com/
Affected Products: Jscape Secure FTP Applet
http://www.jscape.com/sftpapplet/index.html
Vulnerability: SSH Host key is not verified allowing
man-in-the-middle attacks
Risk: Medium
____________________________________________________________________________
A flaw in the Xerces2 as used in OpenJDK allows remote attackers to
cause denial of service via a malformed XML input (CVE-2009-2625).
The audio system does not prevent access to java.lang.System properties
either by untrusted applets and Java Web Start applications, which
allows context-dependent attackers to obtain sensitive information
by reading these properties (CVE-2009-2670).
A flaw in the SOCKS proxy implementation allows remote attackers
to discover the user name of the account that invoked either an
* CERT/CC reported a Stack-based buffer overflow in Java Web Start
when using JNLP files (CVE-2008-1196).
* Azul Systems reported an unspecified vulnerability that allows
applets to escalate their privileges (CVE-2007-5689).
* Billy Rios, Dan Boneh, Collin Jackson, Adam Barth, Andrew Bortz,
Weidong Shao, and David Byrne discovered multiple instances where
Java applets or JavaScript programs run within browsers do not pin
DNS hostnames to a single IP address, allowing for DNS rebinding
correctly check certain lengths. If an attacker sent a truncated
HMAC, it could bypass authentication, leading to potential privilege
escalation. (CVE-2009-0217)
It was discovered that certain variables could leak information. If a
user were tricked into running a malicious Java applet, a remote attacker
could exploit this gain access to private information and potentially
run untrusted code. (CVE-2009-2475, CVE-2009-2690)
A flaw was discovered the OpenType checking. If a user were tricked
into running a malicious Java applet, a remote attacker could bypass
-- Vulnerability Details:
This vulnerability allows remote attackers to violate security policies
on vulnerable installations of Sun Java Runtime. User interaction is
required to exploit this vulnerability in that the target must run a
malicious applet.
The specific flaw allows malicious applets to connect to network
addresses other than the originating applet and client IPs. A
handcrafted applet can override compile time checks to prevent
compilation of a mutable InetAddress subclass. This results in the
window and when the user clicks the "Start AnyConnect" link, the
process of downloading the Cisco AnyConnect Secure Mobility Client
begins. This action causes the browser to first download a "helper"
application that aids in downloading and executing the actual Cisco
AnyConnect Secure Mobility Client. The helper application is a Java
applet on the Linux and MacOS X platforms, and either a Java applet
on the Windows platform or an ActiveX control if the browser is
capable of utilizing ActiveX controls. The downloaded helper
application is executed in the context of the originating site in the
user's web browser. The helper application then downloads the Cisco
AnyConnect Secure Mobility Client from the VPN headend and executes
mode.
CVE-2011-3521
The CORBA implementation contains a deserialization
vulnerability in the IIOP implementation, allowing untrusted
Java code (such as applets) to elevate its privileges.
CVE-2011-3544
The Java scripting engine lacks necessary security manager
checks, allowing untrusted Java code (such as applets) to
elevate its privileges.
java-1.6.0-openjdk:
Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29
and earlier, and 1.4.2_31 and earlier allows remote untrusted Java
Web Start applications and untrusted Java applets to affect integrity
via unknown vectors related to Deserialization (CVE-2011-0865).
Multiple unspecified vulnerabilities in the Java Runtime Environment
(JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update
29 and earlier, and 1.4.2_31 and earlier allow remote attackers
-- Overview --
Sun JRE is described [1] as "the Java APIs, Java Virtual Machine
(HotSpot VM), and other components necessary to run applets and
applications written in the Java programming language".
The software provides a virtualisation layer that allows java
applications to be run across platforms and operating systems. These
java applications can be delivered to the JVM via a number of
____________________________________________________________________________
____
Vendor: Jscape, http://www.jscape.com/
Affected Products: Jscape Secure FTP Applet
http://www.jscape.com/sftpapplet/index.html
Vulnerability: SSH Host key is not verified allowing for Man in the
Middle
attacks
Risk: High
NSFOCUS Security Advisory (SA2009-02)
IBM DB2 JDBC Applet Server Remote DoS Vulnerability
Release Date: 2009-10-16
CVE ID: CVE-2009-2971
http://www.nsfocus.com/en/advisories/0902.html
icedtea6-plugin 6b18-1.8.7-0ubuntu1~10.04.2
openjdk-6-jre 6b18-1.8.7-0ubuntu1~10.04.2
openjdk-6-jre-headless 6b18-1.8.7-0ubuntu1~10.04.2
After a standard system update you need to restart any Java services,
applications or applets to make all the necessary changes.
Details follow:
USN-1079-1 fixed vulnerabilities in OpenJDK 6 for non-armel (ARM)
architectures. This update provides the corresponding updates for
openjdk-6-jre 6b20-1.9.7-0ubuntu1
openjdk-6-jre-headless 6b20-1.9.7-0ubuntu1
openjdk-6-jre-lib 6b20-1.9.7-0ubuntu1
After a standard system update you need to restart any Java services,
applications or applets to make all the necessary changes.
Details follow:
It was discovered that untrusted Java applets could create domain
name resolution cache entries, allowing an attacker to manipulate
Next Page>>
|
