This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Mobile code: object hijack"
| Line 2: | Line 2: | ||
==Description== | ==Description== | ||
| − | |||
This attack consists in a technique to create objects without constructors’ methods by taking advantage of clone() method of Java based applications. | This attack consists in a technique to create objects without constructors’ methods by taking advantage of clone() method of Java based applications. | ||
| Line 9: | Line 8: | ||
The clonable() method certificates that the clone() method functions correctly. A cloned object has the same attributes (variables values) that the original object, but the objects are independents. | The clonable() method certificates that the clone() method functions correctly. A cloned object has the same attributes (variables values) that the original object, but the objects are independents. | ||
| + | ==Severity== | ||
| + | Medium to High | ||
| − | == | + | ==Likelihood of exploitation== |
| + | Medium | ||
| + | ==Examples== | ||
In this example, a public class “BankAccount” implements the clonable() method which declares “Object clone(string accountnumber)”: | In this example, a public class “BankAccount” implements the clonable() method which declares “Object clone(string accountnumber)”: | ||
| Line 22: | Line 25: | ||
} | } | ||
} | } | ||
| − | |||
An attacker can implement a malicious public class that extends the parent BankAccount class, as follows: | An attacker can implement a malicious public class that extends the parent BankAccount class, as follows: | ||
| Line 34: | Line 36: | ||
} | } | ||
} | } | ||
| − | |||
A Java applet from certain application is acquired and subverted by an attacker. Then, he makes the victim accepts and runs a Trojan or malicious code that was prepared to manipulate objects’ state and behavior. This code is instantiated and executed continuously using default JVM on victim’s machine. When the victim invokes the Java applet from the original application using the same JVM, then the attacker clones the class, he manipulates the attributes values and after that substitutes the original object for the malicious one. | A Java applet from certain application is acquired and subverted by an attacker. Then, he makes the victim accepts and runs a Trojan or malicious code that was prepared to manipulate objects’ state and behavior. This code is instantiated and executed continuously using default JVM on victim’s machine. When the victim invokes the Java applet from the original application using the same JVM, then the attacker clones the class, he manipulates the attributes values and after that substitutes the original object for the malicious one. | ||
| − | |||
==External References== | ==External References== | ||
http://cwe.mitre.org/data/definitions/491.html - Mobile Code: Object Hijack | http://cwe.mitre.org/data/definitions/491.html - Mobile Code: Object Hijack | ||
| − | |||
http://www.fortifysoftware.com/vulncat/ - Object Model Violation: Erroneous clone() Method | http://www.fortifysoftware.com/vulncat/ - Object Model Violation: Erroneous clone() Method | ||
| − | |||
==Related Threats== | ==Related Threats== | ||
| − | |||
[[:Category: Logical Attacks]] | [[:Category: Logical Attacks]] | ||
==Related Attacks== | ==Related Attacks== | ||
| − | |||
*[[Mobile code: invoking untrusted mobile code]] | *[[Mobile code: invoking untrusted mobile code]] | ||
| − | |||
*[[Mobile code: non-final public field]] | *[[Mobile code: non-final public field]] | ||
==Related Vulnerabilities== | ==Related Vulnerabilities== | ||
| − | |||
[[:Category: Unsafe Mobile Code]] | [[:Category: Unsafe Mobile Code]] | ||
| − | |||
==Related Countermeasures== | ==Related Countermeasures== | ||
| − | |||
[[:Category: Session Management]] | [[:Category: Session Management]] | ||
| − | + | [[Category:Abuse of Functionality]] | |
| − | + | [[Category:Attack]] | |
| − | [[ | ||
| − | |||
| − | |||
| − | |||
| − | [[ | ||
Revision as of 17:16, 5 November 2007
- This is an Attack. To view all attacks, please see the Attack Category page.
Description
This attack consists in a technique to create objects without constructors’ methods by taking advantage of clone() method of Java based applications.
Case a certain class implements cloneable() method declared as public, but doesn’t has a public constructor method nor declared as final, it is possible to extent it into a new class and create objects using the clone() method.
The clonable() method certificates that the clone() method functions correctly. A cloned object has the same attributes (variables values) that the original object, but the objects are independents.
Severity
Medium to High
Likelihood of exploitation
Medium
Examples
In this example, a public class “BankAccount” implements the clonable() method which declares “Object clone(string accountnumber)”:
public class BankAccount implements Cloneable{
public Object clone(String accountnumber) throws
CloneNotSupportedException
{
Object returnMe = new BankAccount(account number);
…
}
}
An attacker can implement a malicious public class that extends the parent BankAccount class, as follows:
public class MaliciousBankAccount extends BankAccount implements
Cloneable{
public Object clone(String accountnumber) throws CloneNotSupportedException
{
Object returnMe = super.clone();
…
}
}
A Java applet from certain application is acquired and subverted by an attacker. Then, he makes the victim accepts and runs a Trojan or malicious code that was prepared to manipulate objects’ state and behavior. This code is instantiated and executed continuously using default JVM on victim’s machine. When the victim invokes the Java applet from the original application using the same JVM, then the attacker clones the class, he manipulates the attributes values and after that substitutes the original object for the malicious one.
External References
http://cwe.mitre.org/data/definitions/491.html - Mobile Code: Object Hijack http://www.fortifysoftware.com/vulncat/ - Object Model Violation: Erroneous clone() Method
Related Threats
Related Attacks
