view.getClass().forName('java.lang.Runtime'). - 2010 - Ruxcon

More documents

Recommendations

Info

CVE-2010-1622Incorrect usage of Beans API exposesorg.apache.catalina.loader.WebAppClassloader’sURL paths:class.classLoader.URLs[0]=file:///tmp/Overridden path isn’t used to resolve classesBut Jasper (Apache’s JSP engine) uses overridenpaths to resolve JSP tag libraries (TLD)Thursday, November 25, 2010
CVE-2010-1622Two problems:How do we execute code using TLD file?How do we suppy attacker controlled TLD remotely?Thursday, November 25, 2010
Page 1 and 2: Milking a horseorexecuting remote c
Page 3 and 4: kumys is a fermented dairy productt
Page 5 and 6: Thursday, November 25, 2010...back
Page 7 and 8: Plain old servletpublic class MySer
Page 9 and 10: Problemsa lot of verbose boilerplat
Page 11 and 12: user code complexityframework code
Page 13 and 14: How secure are these Java framework
Page 15 and 16: ApproachUse IDE (e.g. IntelliJ IDEA
Page 17 and 18: Look at how frameworkimplements its
Page 19 and 20: Nifty featuresRich taglibrary (e.g.
Page 21 and 22: Nifty featuresuser.address.city = B
Page 23 and 24: HTTP parameters == OGNL statementsW
Page 25 and 26: CVE-2010-1870Based on my previous b
Page 27 and 28: XW-641('\u0023' + 'session[\'user\'
Page 29 and 30: XW-641('\u0023' + 'session[\'user\'
Page 31 and 32: CVE-2010-1870There are actually mor
Page 33 and 34: CVE-2010-1870#context[‘xwork.Meth
Page 35 and 36: CVE-2010-1870 exploit#_memberAccess
Page 41 and 42: CVE-2010-1870 fix2.2.1 fixes vulner
Page 43 and 44: SpringSpring MVC is Spring’s web
Page 45 and 46: BeanInfo getBeanInfo(Class beanClas
Page 47 and 48: Introspector.getBeanInfo(Person);fi
Page 49: Introspector.getBeanInfo(Person);fi
Page 53 and 54: InputTag.tagThursday, November 25,
Page 55 and 56: CVE-2010-1622 exploitDownload org.s
Page 57 and 58: Thursday, November 25, 2010JBoss Se
Page 59 and 60: JBoss SeamCombines EJB3 with JSFPOJ
Page 61 and 62: CVE-2010-1871Special HTTP parameter
Page 63 and 64: CVE-2010-1871Special HTTP parameter
Page 65 and 66: CVE-2010-1871 exploitHow to execute
Page 67 and 68: CVE-2010-1871 exploitview.getClass.
Page 69 and 70: CVE-2010-1871 exploitview.getClass.
Page 71 and 72: CVE-2010-1871 exploitTo call java.l
Page 73 and 74: How do we get method’s index?/sea
Page 75 and 76: CVE-2010-1871 exploitMethod for Run
Page 77 and 78: CVE-2010-1871 exploit/seam-booking/
Page 79 and 80: Thursday, November 25, 2010
Page 83 and 84: What’s Java security manager?Sing
Page 85 and 86: Thursday, November 25, 2010Are you
Page 87 and 88: Why is nobody’s using it?Thursday
Page 89 and 90: Problems (cont.)Support for privile
Page 91 and 92: How do we solve these?*Thursday, No
Page 93 and 94: ProsWill address some of the perfor
Page 95 and 96: Where’s the code?Alpha version wi

view.getClass().forName('java.lang.Runtime'). - 2010 - Ruxcon

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?