[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Java 1.4.2_02 InsecurityManager JVM crash

To: Francisco Andrades <fandrades@nextj.com>
Subject: Re: Java 1.4.2_02 InsecurityManager JVM crash
From: Marc Schoenefeld <schonef@uni-muenster.de>
Date: Mon, 27 Oct 2003 23:15:14 +0100 (MEZ)

Hi,

 either they (Sun) remove the deprecated functions completely  or they
 introduce permissions which explicitly allow to call deprecated stuff.
 An adversary does not care whether the function he uses to interfere
 correct operation is deprecated. Deprecation is not a security feature,
 correct and aware coding is.

Marc


On Mon, 27 Oct 2003, Francisco Andrades wrote:

> Date: Mon, 27 Oct 2003 16:01:18 -0400
> From: Francisco Andrades <fandrades@nextj.com>
> To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
>
> Although this is a serious bug, the method SecurityManager.classDepth()
> has been deprecated for a while, you should not be using it.
>
> Seems to be a bug on native code (since it's deprecated it may not have
> been updated lately).
>
> Marc Schoenefeld wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hello,
> >
> >  Java 2 Security Managers are objects that should enforce
> >  system integrity and safety. Everyone would expect that
> >  the provided base classes from the JDK are therefore a
> >  role model for code quality and stability. But that's
> >  all theory. Let's do some practice:
> >
> >  Imagine a lazy implementor (like me) of a SecurityManager,
> >  he codes the following:
> >
> >  /* InsecurityManager-Demonstration  */
> >  /* coded by Marc Schoenefeld        */
> >  public class InSecurityManager extends SecurityManager {
> >
> >        public void doit() {
> >                       System.out.println("doit");
> >                       int o = classDepth(null);
> >        }
> >
> >    public static void main(String[] a) {
> >     InSecurityManager m =  new InSecurityManager();
> >     m.doit();
> >    }
> > }
> >  When you run the class with the command
> >
> >  java InSecurityManager
> >
> >  you get a jvm crash, instead of  a null pointer exception.
> >  I tested this with the latest 1.3.1,1.4.1,1.4.2 implementations.
> >  All Sun implementations crash, the IBM 1.4.1 (comes with
> >  Websphere or Cloudscape) is stable.
> >
> >  This sample of code will do no harm to productive environments,
> >  because you cannot instantiate a second security manager, but
> >  it may be a snapshot of the inner condition of jvm security.
> >
> >  Lesson learned: Do not believe white papers or specifications,
> >  test the implementation and report bugs to the vendor. Choose
> >  a stable implementation.
> >
> >  Sincerely
> >  Marc Schoenefeld
>
> --
> Francisco Andrades Grassi
> www.nextj.com
> Tlf: +58-414-125-7415
>
>

--

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer

References:
- Re: Java 1.4.2_02 InsecurityManager JVM crash
  - From: Francisco Andrades <fandrades@nextj.com>

Prev by Date: [slackware-security] gdm security update (SSA:2003-300-01)
Next by Date: Nachi/Welchia/LovSan.D version 2 appears to be spreading
Previous by thread: Re: Java 1.4.2_02 InsecurityManager JVM crash
Next by thread: MDKSA-2003:096-1 - Updated apache2 packages fix CGI scripting deadlock
Index(es):
- Date
- Thread