malerisch.net

Name Oracle JRE - java.net.URLConnection class – Same-of-Origin (SOP) Policy Bypass
Vendor Website http://www.oracle.com/technetwork/java/javase/overview/index.html
Date Released/CVE 18th October 2010 – CVE-2010-3573
Affected Software java.net.URLConnection class included within Java(TM) SE Runtime Environment (build 1.6.0_21-b07 and potentially previous versions)
Researcher Roberto Suggi Liverani

+-----------+
|Description|
+-----------+

Security-Assessment.com discovered that a Java Applet making use of java.net.URLConnection class can be used to bypass same-of-origin (SOP) policy and domain based security controls in modern browsers when communication occurs between two domains that resolve to the same IP address. This advisory includes a Proof-of-Concept (PoC) demo and a Java Applet source code, which demonstrates how this security can be exploited to leak cookie information to an unauthorised domain, which resides on the same host IP address.

+------------+
|Exploitation|
+------------+

The Flash movie demo can be viewed at the following link:

http://www.security-assessment.com/files/advisories/java_net_urlconnection_sop_bypass_demo.swf

Proof of Concept (PoC) in demo demonstrates that a Cross Site Request Forgery (XSRF) attack can be leveraged by using a Java Applet which implements the java.net.URLConnection class. Traditionally, XSRF is used to force a user to perform an unwanted action on a target web site. In this case, the PoC shows that XSRF can be used to capture sensitive information such as cookie associated to a target web site.

The following assumptions are made in this PoC:

1. Virtual hosts www.targetsite.net and
www.badsite.com resolve to the same IP address;

2. Malicious user controls www.badsite.com web site;

3. Malicious user targets www.targetsite.net users.

The following list summarises the sequence of actions shown in the demo:

1. User has a valid cookie for www.targetsite.net

2. The same user visits www.badsite.com which performs a cross site forged request to www.targetsite.net .
The forged request is performed by a Java Applet embedded on the malicious site. The Java Applet bypasses the Same-of-Origin policy as an unsigned Java Applet should not be able to communicate from www.badsite.com to www.targetsite.net without a crossdomain.xml policy file.

3. Java Applet performs first GET request to www.targetsite.net. At this stage, the Java Applet controls the Cookie: header sent to www.targetsite.net through the getRequestProperty("cookie") method. This is in breach with SOP.

4. A second request is done for the purpose of the demo which leaks www.targetsite.net cookie's to www.badsite.com via an HTTP GET
request.

Testing was successfully performed using Java(TM) SE Runtime Environment (build 1.6.0_21-b07) and the following browsers:

- Mozilla Firefox 3.5.8 (Windows XP)
- Opera 10.60 (Windows XP)
- Internet Explorer 6.0.2900.5512 (Windows XP)
- Google Chrome 5.0.375.9 (Windows XP)
- Internet Explorer 8.0.6001.18702 (Windows XP)
- Safari 5.0 (7533.16) (Windows XP)

The Java Applet source code used in the demo can be downloaded at the following link:

http://www.security-assessment.com/files/advisories/MaliciousJavaApplet.zip

+--------+
|Solution|
+--------+

Security-Assessment.com follows responsible disclosure and promptly contacted Oracle after discovering the issue. Oracle was contacted on August 1,
2010.

Oracle has created a fix for this vulnerability which has been included as part of Critical Patch Update Advisory - October 2010. Security-Assessment.com recommends all users of JRE and JDK to upgrade to the latest version as soon as possible.

For more information on the new release of JRE/JDK please refer to the link:

http://www.oracle.com/technetwork/java/javase/downloads/index.html

+------+
|Credit|
+------+

Discovered and advised to Oracle August 2010 by Roberto Suggi Liverani of Security-Assessment.com.

- permalink -