Latest YouTube Video

Wednesday, October 21, 2015

[FD] [SE-2014-02] Google App Engine Java security sandbox bypasses (Issue 42)

Hello All, Oracle Critical Patch Update released yesterday incorporates a fix for a Java SE 7 vulnerability (Issue 42) that was discovered while investigating security of Google App Engine. Its technical details and a POC code can be found at the following address: http://ift.tt/1ALgNG6 Issue 42 is caused by improper initialization of interface method slots in a HotSpot VM. As a result, protected instance methods can be successfully used as interface methods. This violates the Java Virtual Machine Language Specification [1], which states that "if the selected method is not public, invokeinterface should throw an IllegalAccessError". GAE weakens standard Java security model by allowing custom Class Loaders. In order to protect against direct exploitation of this "feature", access to defineClass methods of java.lang.ClassLoader class and it subclasses is restricted in Google environment [2]. Issue 42 can be used to directly invoke such methods with the use of interfaces. As a result, user provided classes can be defined outside of a GAE Class Sweeper sandbox and Java security manager can be completely turned off. It's also worth to note that in Mar 2015, Google indicated that it "has other mitigations in place that prevent Issue 21 [1+ years old JRE with 100+ unpatched security vulnerabilities] from being exploitable". This is the second time we show these mitigations are not working as intended [3]. What is however more interesting is that rather mediocre Java SE issue can be successfully exploited in a straightforward way in GAE environment, just because Google has chosen to "tweak" a standard Java security model a little bit. Thank you. Best Regards, Adam Gowdiak

Source: Gmail -> IFTTT-> Blogger

No comments: