Difference between revisions of "Mobile code: non-final public field"

From OWASP
Jump to: navigation, search
 
(2 intermediate revisions by one user not shown)
Line 3: Line 3:
 
<br>
 
<br>
 
[[Category:OWASP ASDR Project]]
 
[[Category:OWASP ASDR Project]]
[[ASDR Table of Contents]]
 
  
 +
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 
==Description==
 
==Description==
Line 52: Line 53:
 
* http://www.fortifysoftware.com/vulncat/ - Unsafe Mobile Code: Public finalize() Method
 
* http://www.fortifysoftware.com/vulncat/ - Unsafe Mobile Code: Public finalize() Method
  
 +
[[Category:FIXME|the last two links are the same]]
  
 
[[Category:Abuse of Functionality]]
 
[[Category:Abuse of Functionality]]
 
[[Category:Attack]]
 
[[Category:Attack]]

Latest revision as of 06:45, 23 April 2009

This is an Attack. To view all attacks, please see the Attack Category page.




Last revision (mm/dd/yy): 04/23/2009

Description

This attack aims to manipulate non-final public variables used in mobile code, by injecting malicious values on it, mostly in Java and C++ applications.

When a public member variable or class used in mobile code isn’t declared as final, its values can be maliciously manipulated by any function that has access to it in order to extend the application code or acquire critical information about the application.

Risk Factors

TBD

Examples

A Java applet from a certain application is acquired and subverted by an attacker. Then, he makes the victim accept and run a Trojan or malicious code that was prepared to manipulate non-final objects’ state and behavior. This code is instantiated and executed continuously using default JVM on the victim’s machine. When the victim invokes the Java applet from the original application using the same JVM, the malicious process could be mixed with original applet, thus it modifies values of non-final objects and executes under victim’s credentials.

In the following example, the class “any_class” is declared as final and “server_addr” variable is not:

public final class any_class extends class_Applet {
public URL server_addr;
…
}

In this case, the value of “server_addr” variable could be set by any other function that has access to it, thus changing the application behavior. A proper way to declare this variable is:

public class any_class extends class_Applet {
public final URL server_addr;
…
}

When a variable is declared as final its value cannot be modified.

Related Threat Agents

TBD

Related Attacks

Related Vulnerabilities

Related Controls

References