Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

New Java Vulnerability Allows Sandbox Bypass

18 views
Skip to first unread message

Virus Guy

unread,
Sep 27, 2012, 10:03:11 AM9/27/12
to
I bet this exploit fails on win-98 systems.

I have 1.6.0_30 (Java 6 Update 30) installed on this win-98 system of
mine. If anyone can point me to the PoC code mentioned below, I'll try
it on and post my results...

==================================

http://www.eweek.com/security/new-java-vulnerability-allows-sandbox-bypass-security-firm-says.html

Researchers at Security Explorations have uncovered a new critical
zero-day flaw affecting all-supported versions of Oracle Java.

The bug discovery was announced Tuesday on the Full Disclosure security
mailing list, though technical details of the vulnerability remain under
wraps. According to Security Explorations CEO Adam Gowdiak however, the
flaw impacts Java Standard Edition versions 5, 6 and 7 and can be used
to break out of the Java sandbox.

"The issue is tricky to find," he said. "Same for the exploit code to
develop. It would be fair to say that both were of a moderate
difficulty."

The researchers say they confirmed the bug on the Firefox, Google
Chrome, Internet Explorer, Opera and Apple Safari browsers. Oracle has
confirmed the flaw’s existence and stated that it will be addressed in a
future Java critical patch update, according to Gowdiak

The prevalence of Java has made it a common target for hackers,
prompting some in the security community to call for organizations to
disable the technology if it is not needed. Exploits for Java bugs have
become staples of attack kits such as Black Hole and others. There is
little danger of that in this case, however, since the bug was disclosed
privately, said Marcus Carey, security researcher at Rapid7.

“There are tons of privately reported bugs for software, which makes it
a bit strange that this is generating the amount of buzz that it is," he
said. "Organizations and consumer should always treat Java and other
plug-ins as if there are zero-day exploits out there targeting them,
even when we don’t know of any specific ones being used."

To reduce risk, he recommended that users only install plug-ins when
needed and disable or uninstall them if they are unnecessary.

" If you have to enable dynamic content that requires plug-ins, only do
so from trusted sites, as others could very well be compromised," he
added.

"If there isn’t a reasonable use case for someone to have Java
installed, then they can certainly consider removing it altogether,"
Satnam Narang, security response manager at Symantec, said in an
interview Aug. 30. "However, if there is a use case for having it
installed, it’s simply best to ensure that it is patched and kept
up-to-date. If there is an exploit in the wild and no patch is currently
available, users should disable Java until a patch is made available."

Due to the number of people running Java, the potential impact of the
bug could affect a large number of desktops, Gowdiak said. The severity
of the issue is also critical because of the implications of a full Java
security sandbox bypass.

"What this means is that a malicious Java applet or application
exploiting the vulnerability could run unrestricted in the context of a
target Java process such as a web browser application," he explained.
"An attacker could then install programs, view, change, or delete data
with the privileges of a logged-on user. In our proof of concept code we
create a file and execute "notepad.exe" application on Windows."

FromTheRafters

unread,
Sep 27, 2012, 11:58:02 AM9/27/12
to
Virus Guy laid this down on his screen :
> I bet this exploit fails on win-98 systems.
>
How much?

[...]


Dustin

unread,
Sep 28, 2012, 7:26:46 PM9/28/12
to
Virus Guy <Vi...@Guy.com> wrote in news:50645C9F...@Guy.com:

> I bet this exploit fails on win-98 systems.
>
> I have 1.6.0_30 (Java 6 Update 30) installed on this win-98 system of
> mine. If anyone can point me to the PoC code mentioned below, I'll
> try it on and post my results...

It would be very stupid to hand you a piece of functional code. You're
so clueless as to be dangerous with it.

It's a java vulnerability. Not OS dependent.
> "What this means is that a malicious Java applet or application
> exploiting the vulnerability could run unrestricted in the context of
> a target Java process such as a web browser application," he
> explained. "An attacker could then install programs, view, change, or
> delete data with the privileges of a logged-on user. In our proof of
> concept code we create a file and execute "notepad.exe" application
> on Windows."

Which likely is easier on a win98 system, as you have no file
permissions nor user access rights of any kind to enforce or if you're
the malware, to have to get around.

I see no reason why this wouldn't work fine on your machine. It's not OS
dependent.




--
There ain't no rest for the wicked. Money don't grow on trees. I got
bills to pay. I got mouths to feed. Ain't nothing in this world for
free. Oh No. I can't slow down, I can't hold back though you know I wish
I could. Oh no there ain't no rest for the wicked, until we close our
eyes for good.



FromTheRafters

unread,
Sep 28, 2012, 8:59:45 PM9/28/12
to
Dustin was thinking very hard :
> Virus Guy <Vi...@Guy.com> wrote in news:50645C9F...@Guy.com:
>
>> I bet this exploit fails on win-98 systems.
>>
>> I have 1.6.0_30 (Java 6 Update 30) installed on this win-98 system of
>> mine. If anyone can point me to the PoC code mentioned below, I'll
>> try it on and post my results...
>
> It would be very stupid to hand you a piece of functional code. You're
> so clueless as to be dangerous with it.
>
> It's a java vulnerability. Not OS dependent.
>> "What this means is that a malicious Java applet or application
>> exploiting the vulnerability could run unrestricted in the context of
>> a target Java process such as a web browser application," he
>> explained. "An attacker could then install programs, view, change, or
>> delete data with the privileges of a logged-on user. In our proof of
>> concept code we create a file and execute "notepad.exe" application
>> on Windows."
>
> Which likely is easier on a win98 system, as you have no file
> permissions nor user access rights of any kind to enforce or if you're
> the malware, to have to get around.
>
> I see no reason why this wouldn't work fine on your machine. It's not OS
> dependent.

On at least two previous occasions when this sort of thing came up (his
soapbox I guess) I have been trying to get him to understand that
exploit code is separate from payload code. Just because a published
POC demonstration doesn't work on (payload wasn't written for) W98
doesn't mean that the vulnerability wasn't exploited.

He likes to use this to bolster his misconception about the security of
W98 being better than NT based versions. His proposal is to take an
exploit w/payload and having its payload fail to execute (because it
wasn't written for W98) as proof that W98 wasn't vulnerable to the
exploit. Now he has clearly demonstrated that he still misses the
point.


Dustin

unread,
Sep 28, 2012, 11:41:29 PM9/28/12
to
FromTheRafters <err...@nomail.afraid.org> wrote in
news:k45h65$qi8$1...@dont-email.me:

> On at least two previous occasions when this sort of thing came up
> (his soapbox I guess) I have been trying to get him to understand
> that exploit code is separate from payload code. Just because a
> published POC demonstration doesn't work on (payload wasn't written
> for) W98 doesn't mean that the vulnerability wasn't exploited.

He's a fucking moronic twit who can't graps concepts well. "Virus_Guy"
is an insult to those who know viruses. That punkass doesn't.

He likes to talk down to people who know significantly more than he
does.

> He likes to use this to bolster his misconception about the security
> of W98 being better than NT based versions. His proposal is to take
> an exploit w/payload and having its payload fail to execute (because
> it wasn't written for W98) as proof that W98 wasn't vulnerable to the
> exploit. Now he has clearly demonstrated that he still misses the
> point.

He *never* got the message in the first place and I'd be willing to bet
a little hard! earned money that he never will. Ever. It just isn't
going to happen.

Hell, I've got a better chance of one day waking up in a good mood and
happy. Then again, I could drop dead tomorrow and that WOULD make me
happy. Happy as a fucking lark, so who knows.

FromTheRafters

unread,
Sep 29, 2012, 8:42:41 PM9/29/12
to
Dustin wrote :
> FromTheRafters <err...@nomail.afraid.org> wrote in
> news:k45h65$qi8$1...@dont-email.me:
>
>> On at least two previous occasions when this sort of thing came up
>> (his soapbox I guess) I have been trying to get him to understand
>> that exploit code is separate from payload code. Just because a
>> published POC demonstration doesn't work on (payload wasn't written
>> for) W98 doesn't mean that the vulnerability wasn't exploited.
>
> He's a fucking moronic twit who can't graps concepts well. "Virus_Guy"
> is an insult to those who know viruses. That punkass doesn't.

It would be better if he actually tried to learn something instead of
pretending that he already knows everything.
>
> He likes to talk down to people who know significantly more than he
> does.

Yeah, I noticed that. It tends to get in the way of any chance for him
to learn something.
>
>> He likes to use this to bolster his misconception about the security
>> of W98 being better than NT based versions. His proposal is to take
>> an exploit w/payload and having its payload fail to execute (because
>> it wasn't written for W98) as proof that W98 wasn't vulnerable to the
>> exploit. Now he has clearly demonstrated that he still misses the
>> point.
>
> He *never* got the message in the first place and I'd be willing to bet
> a little hard! earned money that he never will. Ever. It just isn't
> going to happen.

You may be right about that.
>
> Hell, I've got a better chance of one day waking up in a good mood and
> happy. Then again, I could drop dead tomorrow and that WOULD make me
> happy. Happy as a fucking lark, so who knows.

Do you believe in an afterlife? I don't, I think when it's over it's
over. I'm okay with that, but intellectually I can't conclude that it
is fact.


Dustin

unread,
Sep 30, 2012, 12:00:00 AM9/30/12
to
FromTheRafters <err...@nomail.afraid.org> wrote in
news:k484i4$p4g$1...@dont-email.me:
My logical mind suspects whats me is a software program and this body is
just the hardware.... If that's the case, an afterlife might indeed
exist, but I want no part of it either. I want out. Pretty simple
request one would think...

I'm confident tho the God they speak of in Church isn't in any possible
way, real.
Message has been deleted

FromTheRafters

unread,
Sep 30, 2012, 7:06:15 AM9/30/12
to
Dustin explained on 9/30/2012 :
I can agree with that, but I'm in no hurry now. I promised myself that
I would hang around as long as I could.
>
> I'm confident tho the God they speak of in Church isn't in any possible
> way, real.

Yeah, it doesn't make sense to me either. I think it is just something
for those that need something to believe in to make them happy.


Virus Guy

unread,
Oct 6, 2012, 9:32:00 PM10/6/12
to
Virus Guy wrote:

> Researchers at Security Explorations have uncovered a new critical
> zero-day flaw affecting all-supported versions of Oracle Java.

See also:

http://blogs.computerworld.com/malware-and-vulnerabilities/21056/another-critical-java-vulnerability-puts-1-billion-users-risk

What's the deal?

It Orifice doing anything about this?
0 new messages