Changeset 5052 a589a8dbde79 question

Christopher Meyer christopher.meyer at rub.de
Fri Feb 24 13:31:56 UTC 2012


Hi,
please correct me if I'm wrong, but the Changeset 5052 in ZoneInfoFile could 
maybe draw an unexpected SideChannel at System.err.

Please have a look at the following:
TimeZone tzExistent = TimeZone.getTimeZone("/.\56/.\56/.\56/etc/passwd");
will walk the following path:

java.util.TimeZone:
public static synchronized TimeZone getTimeZone(String ID)
private static TimeZone getTimeZone(String ID, boolean fallback)
private static final TimeZone parseCustomTimeZone(String id)
sun.util.calendar.ZoneInfo
public static ZoneInfo getZoneInfo(String id)
private static ZoneInfo createZoneInfo(String id)
private static byte[] readZoneInfoFile(final String fileName)

where it is checked if it contains ".." 

ileName.indexOf("..") >= 0 
(which indeed it doesn't) - no more checking at this point, necessary path 
checks are dropped for the sake of performance. When passed to 

File file = new File(ziDir, fileName);

it will evalute fine to /../../../etc/passwd. Since the operation takes place 
inside a doPrivileged block the file could be read (if present) without 
SecurityException, even in an Applet. The attacker would succeed with a 
directory traversal. No big deal due to this point, since no information is 
handled to a potential attacker.

But when looking at the return path we find the following in private static 
ZoneInfo createZoneInfo(String id):

System.err.println("ZoneInfo: wrong magic number: " + id);
or
System.err.println("ZoneInfo: incompatible version ("
                                   + buf[index - 1] + "): " + id);

So if an attacker manages to access System.err (one could think about 
capabilities of LiveConnect or some related technologies...) he would be able 
to detect the presence of files on the victims system. This would be clearly a 
violation of the applet sandbox.

In my opinion the impact is not that big, but it increases an attackers 
surface.

Do I miss something or got something wrong or this this an issue that should 
be fixed?

Regards from Germany,
Chris


Blog on Java security and related topics:
armoredbarista.blogspot.com

______________________________________

Dipl.-Ing. Christopher Meyer

Horst Görtz Institute for IT-Security 
Chair for Network and Data Security 
Ruhr-University Bochum, Germany

Universitätsstr. 150, ID 2/415
D-44801 Bochum, Germany
http:// www.nds.rub.de

Phone: (+49) (0)234 / 32 - 29815
Fax: (+49) (0)234 / 32 - 14347





More information about the security-dev mailing list