[13647] in bugtraq
Re: `Microsoft VM for Java' allows reading local files using
daemon@ATHENA.MIT.EDU (Ari Gordon-Schlosberg)
Wed Feb 2 00:58:35 2000
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000201175055.A23207@nebcorp.com>
Date: Tue, 1 Feb 2000 17:50:55 -0600
Reply-To: Ari Gordon-Schlosberg <regs@NEBCORP.COM>
From: Ari Gordon-Schlosberg <regs@NEBCORP.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <38963BC2122.9A8DTAKAGI@java-house.etl.go.jp>; from
takagi@ETL.GO.JP on Tue, Feb 01, 2000 at 10:49:54AM +0900
["TAKAGI, Hiromitsu" <takagi@ETL.GO.JP>]
> Microsoft JVM allows reading local files using getSystemResourceAsStream.
> For a detailed description, please see the following article.
>
Verified with build 5.00.2314.1003 on Win98. Creepy. According to the
article above, IE 5 allows files under C:\Windows\Desktop to read, while IE
4 gives access to C:\ itself. Seems to me that there must be an a bug in
either java.lang.SecurityManager.checkRead(String,Object) or
java.lang.ClassLoader.getResourceAsStream(String). If it's the former,
this bug should be further exploitable to pretty much any file. Therefore,
most likely is that java.lang.ClassLoader.getResourceAsStream(String) is
either a) not calling java.lang.SecurityManager.checkRead(String,Object) at
all or b) passing it an incorrect context.
--
Ari there is no spoon
-------------------------------------------------------------------------
http://www.nebcorp.com/~regs/pgp for PGP public key
