Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4080534

Can make file existence attacks on CLASSPATH with getSystemResource()

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P1
    • Resolution: Fixed
    • Affects Version/s: 1.1.4
    • Fix Version/s: 1.1.5
    • Component/s: core-libs
    • Labels:
    • Subcomponent:
    • Resolved In Build:
      1.1.5
    • CPU:
      sparc
    • OS:
      solaris_2.5.1
    • Verification:
      Verified

      Description

      I fixed 4016360, and this led to discovering the following attack:

      Using the ClassLoader.getSystemResource() method,
      you can construct a file existence attack on files in directories
      listed on CLASSPATH. This is because the sysresouce API constructs a
      URL by first checking if the file exists -- so if you get a URL, this
      means that file does exist and you can look at the directory it is in
      by doing a toString() on the returned URL. If you get null, the file
      doesn't exist. Of course, you cannot read the file, just do an
      existence attack.

      There are a coupla fixes for this:

      - mangle the URL string with a private key generated at
      runtime, and private to the VM.
      - do the file existence check at the Java level, rather than
      at the C level (with sysOpen). This will cause a Java level
      security exception that we can then swallow (as we do for
      4062427).

      Bill Shannon remarks that we should commit to fix this for 1.1.5.

      anand.palaniswamy@Eng 1997-09-19

        Attachments

          Activity

            People

            Assignee:
            epelegrisunw Eduardo Pelegrillopart (Inactive)
            Reporter:
            apalanissunw Anand Palaniswamy (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: