This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Mobile code: non-final public field"

From OWASP
Jump to: navigation, search
Line 2: Line 2:
  
 
==Description==
 
==Description==
 
 
This attack aims to manipulate non-final public variables used in mobile code by injecting malicious values on it, mostly in Java and C++ applications.
 
This attack aims to manipulate non-final public variables used in mobile code by injecting malicious values on it, mostly in Java and C++ applications.
  
 
When a public member variable or class used in mobile code isn’t declared as final, its values can be malicious manipulated by any function that has access to it in order to extend the application code or acquire critical information about the application.   
 
When a public member variable or class used in mobile code isn’t declared as final, its values can be malicious manipulated by any function that has access to it in order to extend the application code or acquire critical information about the application.   
  
 +
==Severity==
 +
Medium to High
  
==Examples ==
+
==Likelihood of exploitation==
 +
Low
  
 +
==Examples==
 
A Java applet from certain application is acquired and subverted by an attacker. Then, he makes the victim accepts and runs a Trojan or malicious code that was prepared to manipulate non-final objects’  state and behavior. This code is instantiated and executed continuously using default JVM on victim’s machine. When the victim invokes the Java applet from the original application using the same JVM, the malicious process could be mixed with original applet, thus it modifies values of non-final objects and executes under victim’s credentials.
 
A Java applet from certain application is acquired and subverted by an attacker. Then, he makes the victim accepts and runs a Trojan or malicious code that was prepared to manipulate non-final objects’  state and behavior. This code is instantiated and executed continuously using default JVM on victim’s machine. When the victim invokes the Java applet from the original application using the same JVM, the malicious process could be mixed with original applet, thus it modifies values of non-final objects and executes under victim’s credentials.
  
Line 20: Line 23:
  
 
In this case, the value of “server_addr” variable could be set by any other function that has access to it, thus changing the application behavior.
 
In this case, the value of “server_addr” variable could be set by any other function that has access to it, thus changing the application behavior.
 
 
A proper way to declare this variable is:
 
A proper way to declare this variable is:
  
Line 29: Line 31:
  
 
When a variable is declared as final its value cannot be modified.
 
When a variable is declared as final its value cannot be modified.
 
  
 
==External References==
 
==External References==
 
 
http://cwe.mitre.org/data/definitions/493.html – Mobile Code: non-final public field
 
http://cwe.mitre.org/data/definitions/493.html – Mobile Code: non-final public field
 
 
http://www.fortifysoftware.com/vulncat/ - Unsafe Mobile Code: Access Violation
 
http://www.fortifysoftware.com/vulncat/ - Unsafe Mobile Code: Access Violation
 
 
http://www.fortifysoftware.com/vulncat/ - Unsafe Mobile Code: Public finalize() Method
 
http://www.fortifysoftware.com/vulncat/ - Unsafe Mobile Code: Public finalize() Method
 
  
 
==Related Threats==
 
==Related Threats==
 
 
[[:Category: Logical Attacks]]
 
[[:Category: Logical Attacks]]
 
  
 
==Related Attacks==
 
==Related Attacks==
 
 
*[[Mobile code: invoking untrusted mobile code]]
 
*[[Mobile code: invoking untrusted mobile code]]
 
 
*[[Mobile code: object hijack]]
 
*[[Mobile code: object hijack]]
 
  
 
==Related Vulnerabilities==
 
==Related Vulnerabilities==
 
 
[[:Category: Unsafe Mobile Code]]
 
[[:Category: Unsafe Mobile Code]]
 
  
 
==Related Countermeasures==
 
==Related Countermeasures==
 
 
[[:Category: Access Control]]
 
[[:Category: Access Control]]
  
 
+
[[Category:Abuse of Functionality]]
==Categories==
+
[[Category:Attack]]
 
 
[[:Category: Resource Manipulation]]
 
 
 
[[:Category: Abuse of Functionality]]
 
 
 
[[:Category: Exploitation of Privilege/Trust]]
 

Revision as of 17:14, 5 November 2007

This is an Attack. To view all attacks, please see the Attack Category page.


Description

This attack aims to manipulate non-final public variables used in mobile code by injecting malicious values on it, mostly in Java and C++ applications.

When a public member variable or class used in mobile code isn’t declared as final, its values can be malicious manipulated by any function that has access to it in order to extend the application code or acquire critical information about the application.

Severity

Medium to High

Likelihood of exploitation

Low

Examples

A Java applet from certain application is acquired and subverted by an attacker. Then, he makes the victim accepts and runs a Trojan or malicious code that was prepared to manipulate non-final objects’ state and behavior. This code is instantiated and executed continuously using default JVM on victim’s machine. When the victim invokes the Java applet from the original application using the same JVM, the malicious process could be mixed with original applet, thus it modifies values of non-final objects and executes under victim’s credentials.

In the following example, the class “any_class” is declared as final and “server_addr” variable is not:

public final class any_class extends class_Applet {
public URL server_addr;
…
}

In this case, the value of “server_addr” variable could be set by any other function that has access to it, thus changing the application behavior. A proper way to declare this variable is:

public class any_class extends class_Applet {
public final URL server_addr;
…
}

When a variable is declared as final its value cannot be modified.

External References

http://cwe.mitre.org/data/definitions/493.html – Mobile Code: non-final public field http://www.fortifysoftware.com/vulncat/ - Unsafe Mobile Code: Access Violation http://www.fortifysoftware.com/vulncat/ - Unsafe Mobile Code: Public finalize() Method

Related Threats

Category: Logical Attacks

Related Attacks

Related Vulnerabilities

Category: Unsafe Mobile Code

Related Countermeasures

Category: Access Control