There is a collision of two Java features: serialization and the security manager.
The security manager is used to limit the actions of applets or applications or chunks of code. Some of the standard libraries need to elevate their privileges to e.g. read in a file, which an applet would not be allowed to do.
Serialization is used to write objects out to a persistent form. Classes can override the read and write methods to provide a custom (more efficient) form. They also can do whatever the hell they like in those methods too.
The Calendar class elevates its privileges to read in a time zone information object. But it doesn't know what the object really is until it has read it.
If you can trick the Calendar to read in your object instead of the timezone information then your class can execute arbitrary code with no security restrictions.
And from ealf -
(If you insert an evil object in the middle of a serialized Calendar object, it will be deserialized in privileged mode. And by overriding readObject(), you can run code during deserializing.)And from draconnery -
As ealf explained tersely and Rhoomba at some length, this bug lets the programmer run arbitrary code without security restrictions on your machine. In case that wording doesn't horrify you all on its own, let me try to suggest what this could be like...
Imagine if you logged into your computer and turned it over to a stranger and gave him a few minutes to do whatever he wanted, including deleting all your documents and photos, or, say, installing a program that would intercept all your keystrokes and send them to him (so he could look for 16-digit numbers or, god forbid, "www.facebook.com" followed by your email address and "password1").
The proof of concept executed on my fully patched 10.5.7 unibody macbook in FF.
To disble the java plugin in firefox goto Tools->Add Ons->Plugins and click the "disable" button associated with the Java Embedding Plugin.
No comments:
Post a Comment