> Eh, you can see where it came from though. Design bugs like this are absolutely miserable to fix (see how we'll never get rebinding out of the browser) and letting identical IP's script against eachother lets an awful lot of legitimate traffic through while blocking almost all attacks.
>
> I'm not saying it's a preferred design, but let's reserve "horrible" for things that don't have quite the obvious thought process behind them.

"Horrible" in the sense it had significant consequences for the safety
of all Internet users, for at least a decade (ever since HTTP vhosts
became reasonably popular, which must be what, late 90s).

I don't really question the thought process - although it's
interesting to see that almost all attempts to redefine / reinvent SOP
led to significant issues over the years. This is not merely the fault
of plugin vendors, by the way - the incompatibility between DOM SOP
and cookie "SOP" pose some very interesting and underappreciated
problems for many classes modern web apps. And it's certainly not
unique to SOP, too:

http://lcamtuf.blogspot.com/2010/10/attack-of-monster-frames-mini.html

Anyway...

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Sent from my iPhone

On Oct 20, 2010, at 8:58 AM, Michal Zalewski <***@coredump.cx> wrote:

>> Security-Assessment.com follows responsible disclosure
>> and promptly contacted Oracle after discovering
>> the issue. Oracle was contacted on August 1,
>> 2010.
>
> My understanding is that Stefano Di Paola of Minded Security reported
> this back in April; and further, the feature was a part of reasonably
> well-documented functionality of Java pretty much ever since:
>
> http://download.oracle.com/javase/6/docs/api/java/net/URL.html
>
> "Two hosts are considered equivalent if both host names can be
> resolved into the same IP addresses"
>
> This was a pretty horrible design, so it's good to see it gone, though.

Eh, you can see where it came from though. Design bugs like this are absolutely miserable to fix (see how we'll never get rebinding out of the browser) and letting identical IP's script against eachother lets an awful lot of legitimate traffic through while blocking almost all attacks.

I'm not saying it's a preferred design, but let's reserve "horrible" for things that don't have quite the obvious thought process behind them.

Is this, in fact, gone now?

>
> /mz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

On Wed, Oct 20, 2010 at 8:58 AM, Michal Zalewski <***@coredump.cx>wrote:

> > Security-Assessment.com follows responsible disclosure
> > and promptly contacted Oracle after discovering
> > the issue. Oracle was contacted on August 1,
> > 2010.
>
> My understanding is that Stefano Di Paola of Minded Security reported
> this back in April; and further, the feature was a part of reasonably
> well-documented functionality of Java pretty much ever since:
>
> http://download.oracle.com/javase/6/docs/api/java/net/URL.html


The Host: header trick was also used back in 2008 in Billy Rios' GIFAR
attack -- to get around the fact that Picasa hosts images on a separate
domain:

http://xs-sniper.com/blog/2008/12/17/sun-fixes-gifars/

The blog post title was "SUN Fixes GIFARs", although it's not immediately
obvious to me what was changed or fixed.

If anyone knows what was changed back then and/or in this latest release, it
would be interesting to see it documented.


Cheers
Chris


>
>
> "Two hosts are considered equivalent if both host names can be
> resolved into the same IP addresses"
>
> This was a pretty horrible design, so it's good to see it gone, though.
>
> /mz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Hi Michael,

Let me share some background on this advisory...

I came to this result when I was looking into a way of exploiting the
Apache Web Server "Compatibility with older browser feature". A separate
paper has been published here:

http://www.security-assessment.com/files/whitepapers/Leveraging_XSRF_with_Apache_Web_Server_Compatibility_with_older_browser_feature_and_Java_Applet.pdf


Interestingly enough, I got the idea of using Java Applet to achieve the
attack described above after I bumped into the following from your
browser security handbook
(http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_Java):


"The ability to send same-origin HTTP requests using the browser stack
via the URLConnection API, with virtually no security controls,
including the ability to set Host headers, or insert conflicting caching
directives. On the upside, it appears that there is no ability to read
30x redirect bodies or httponly cookies from within applets".

After that, I thought Java Applet could be quite handy when it comes to
force the browser performing a non-standard/malformed HTTP request (e.g.
multiple Host: headers which exploits the Apache feature mentioned above).

At the same time, I also realised that in my testing environment I was
using virtual hosts resolving to the same IP address. Following a
discussion with Apache Security Team and after further research, I have
found that the Java Applet could be used to control the cookie header
sent to a different domain...

But let's come back to your response - you mention about a bug from
Stefano but I am not aware if it is the same bug or a different one
though. When I contacted the vendor, they created a new ticket for the
bug and told me that it would have been fixed with the next critical
patch release in October 2010. They haven't mentioned about anyone with
an identical bug was already reported, as they normally do when
cross-referring bug reports. Apologies in advance if this is a bug
Stefano or someone else reported before August the 1st .

Furthermore, my testing was performed on the latest version JRE (build
1.6.0_21-b07) so I assumed (wrongly?) that all previous critical bugs
were fixed.

The main issue reported is related to the getRequestProperty('cookie')
property which can be controlled by a Java Applet. This could lead to
leaking cookie to unauthorised domains given the attack is performed
between domains that resolve to the same IP address.

The fix provided by Oracle is that getRequestProperty('cookie') now
returns a 'Null' value and cannot be any more controlled via the Java
Applet, even if URLconnection class is used to performed a cross site
request between domains that resolve to the same IP address. The fix
effectively mitigates the attack shown in the PoC but does not resolve
the behavior you mention:

"Two hosts are considered equivalent if both host names can be resolved
into the same IP addresses"

Unfortunately, the above statement is still enforced in Java Applet as
the URLConnection class can be used to make a request between two
domains that resolve to the same IP address without a crossdomain.xml
policy.

In my advisory, I stated: "The Java Applet bypasses the Same-of-Origin
policy (SOP) as an unsigned Java Applet should not be able to
communicate from www.badsite.com to www.targetsite.net without a
crossdomain.xml".

According to the documentation/design, there is no SOP bypass as both
hosts are considered equivalent. However, in practice, there is a SOP
bypass, as cookie can leak to an unauthorised domain.

Hope this sheds some light on this research ;-). Apologies if I didn't
explain well enough the above in the original advisory.

Cheers,

Roberto

Michal Zalewski wrote:
>> Security-Assessment.com follows responsible disclosure
>> and promptly contacted Oracle after discovering
>> the issue. Oracle was contacted on August 1,
>> 2010.
>>
>
> My understanding is that Stefano Di Paola of Minded Security reported
> this back in April; and further, the feature was a part of reasonably
> well-documented functionality of Java pretty much ever since:
>
> http://download.oracle.com/javase/6/docs/api/java/net/URL.html
>
> "Two hosts are considered equivalent if both host names can be
> resolved into the same IP addresses"
>
> This was a pretty horrible design, so it's good to see it gone, though.
>
> /mz
>

--
Roberto Suggi Liverani
Senior Security Consultant
Mob. +64 21 928 780
www.security-assessment.com



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Hey,
Michal thanks for the reply to defend credits :).

I had some moderation issues when I tried to send some word about this.
Just for sake of clarification:
I sent the advisory to Oracle on 20th April 2010. Oracle acknowledged
the issue on june.

If Roberto sent the advisory to Oracle then Oracle just didn't tell
him they already knew about it.
If Roberto just sent the issue to Apache then no one's faulty. :)
Anyway I hope credits will be at least shared between me and Roberto.

Cheers,
Stefano

2010/10/20 Michal Zalewski <***@coredump.cx>:
>> Security-Assessment.com follows responsible disclosure
>> and promptly contacted Oracle after discovering
>> the issue. Oracle was contacted on August 1,
>> 2010.
>
> My understanding is that Stefano Di Paola of Minded Security reported
> this back in April; and further, the feature was a part of reasonably
> well-documented functionality of Java pretty much ever since:
>
> http://download.oracle.com/javase/6/docs/api/java/net/URL.html
>
> "Two hosts are considered equivalent if both host names can be
> resolved into the same IP addresses"
>
> This was a pretty horrible design, so it's good to see it gone, though.
>
> /mz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Hey all,
I think it's Oracle bad.
I reported to Oracle this issue back on april 20th and probably Oracle
when Roberto reported the same stuff on August just said "Thank you" and
nothing more to Roberto.

Also Oracle seems to do mass credit so everyone can think that anyone
found anything among the 29 advisories :D
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

Anyway, I'll post the advisory today clarification :)

Cheers
Stefano


Il giorno mer, 20/10/2010 alle 08.58 -0700, Michal Zalewski ha scritto:
> > Security-Assessment.com follows responsible disclosure
> > and promptly contacted Oracle after discovering
> > the issue. Oracle was contacted on August 1,
> > 2010.
>
> My understanding is that Stefano Di Paola of Minded Security reported
> this back in April; and further, the feature was a part of reasonably
> well-documented functionality of Java pretty much ever since:
>
> http://download.oracle.com/javase/6/docs/api/java/net/URL.html
>
> "Two hosts are considered equivalent if both host names can be
> resolved into the same IP addresses"
>
> This was a pretty horrible design, so it's good to see it gone, though.
>
> /mz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/