This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Mobile code: object hijack"

From OWASP
Jump to: navigation, search
 
(14 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
{{Template:Attack}}
 
{{Template:Attack}}
 +
<br>
 +
[[Category:OWASP ASDR Project]]
 +
 +
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 +
  
 
==Description==
 
==Description==
 +
This attack consists of a technique to create objects without constructors’ methods by taking advantage of the clone() method of Java-based applications.
 +
 +
If a certain class implements cloneable() method declared as public, but doesn’t has a public constructor method nor is declared as final, it is possible to extend it into a new class and create objects using the clone() method.
 +
 +
The clonable() method certifies that the clone() method functions correctly. A cloned object has the same attributes (variables values) of the original object, but the objects are independent.
 +
 +
==Risk Factors==
 +
TBD
 +
 +
==Examples==
 +
In this example, a public class “BankAccount” implements the clonable() method which declares “Object clone(string accountnumber)”:
 +
 +
public class BankAccount implements Cloneable{
 +
public Object clone(String accountnumber) throws                                                                                                 
 +
CloneNotSupportedException
 +
      {
 +
      Object returnMe = new BankAccount(account number);
 +
      …
 +
      }
 +
}
 +
 +
An attacker can implement a malicious public class that extends the parent BankAccount class, as follows:
  
==Examples ==
+
public class MaliciousBankAccount extends BankAccount implements 
 +
                                                      Cloneable{
 +
public Object clone(String accountnumber) throws CloneNotSupportedException
 +
              {
 +
                Object returnMe = super.clone();
 +
                …
 +
              }
 +
}
  
==Related Threats==
+
A Java applet from a certain application is acquired and subverted by an attacker. Then, he makes the victim accept and run a [[Trojan Horse|Trojan]] or malicious code that was prepared to manipulate objects’ state and behavior. This code is instantiated and executed continuously using default JVM on victim’s machine. When the victim invokes the Java applet from the original application using the same JVM, then the attacker clones the class, he manipulates the attributes values, and then substitutes the original object for the malicious one.
  
==Related Attacks==
+
==Related [[Threat Agents]]==
 +
* TBD
  
==Related Vulnerabilities==
+
==Related [[Attacks]]==
 +
* [[Mobile code: invoking untrusted mobile code]]
 +
* [[Mobile code: non-final public field]]
  
==Related Countermeasures==
+
==Related [[Vulnerabilities]]==
 +
* [[:Category: Unsafe Mobile Code]]
  
==Categories==
+
==Related [[Controls]]==
 +
* [[:Category: Session Management]]
  
{{Template:Stub}}
+
==References==
 +
* http://cwe.mitre.org/data/definitions/491.html - Mobile Code: Object Hijack
 +
* http://www.fortifysoftware.com/vulncat/ - Object Model Violation: Erroneous clone() Method
  
[[Category:Malicious Code Attack]]
 
  
[[Technology:Applet]]
+
[[Category:Abuse of Functionality]]
 +
[[Category:Attack]]

Latest revision as of 11:45, 23 April 2009

This is an Attack. To view all attacks, please see the Attack Category page.



Last revision (mm/dd/yy): 04/23/2009


Description

This attack consists of a technique to create objects without constructors’ methods by taking advantage of the clone() method of Java-based applications.

If a certain class implements cloneable() method declared as public, but doesn’t has a public constructor method nor is declared as final, it is possible to extend it into a new class and create objects using the clone() method.

The clonable() method certifies that the clone() method functions correctly. A cloned object has the same attributes (variables values) of the original object, but the objects are independent.

Risk Factors

TBD

Examples

In this example, a public class “BankAccount” implements the clonable() method which declares “Object clone(string accountnumber)”:

public class BankAccount implements Cloneable{
public Object clone(String accountnumber) throws                                                                                                  
CloneNotSupportedException
     {
      Object returnMe = new BankAccount(account number);
      …
     }
}

An attacker can implement a malicious public class that extends the parent BankAccount class, as follows:

public class MaliciousBankAccount extends BankAccount implements   
                                                      Cloneable{
public Object clone(String accountnumber) throws CloneNotSupportedException 
              {
               Object returnMe = super.clone();
               …
              }
}

A Java applet from a certain application is acquired and subverted by an attacker. Then, he makes the victim accept and run a Trojan or malicious code that was prepared to manipulate objects’ state and behavior. This code is instantiated and executed continuously using default JVM on victim’s machine. When the victim invokes the Java applet from the original application using the same JVM, then the attacker clones the class, he manipulates the attributes values, and then substitutes the original object for the malicious one.

Related Threat Agents

  • TBD

Related Attacks

Related Vulnerabilities

Related Controls

References