About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Breaking the Java Verifier #1 (Prior to Java 8)- 286

ByteChefPosted 5 Years Ago
  • When Java was originally created, it was built to run everything, including the web. Because of this, security protections had to be in place to ensure that valid (non-corrupted) code was being uploaded/executed in the web browser.
  • In terms of security protections, there were three main items put in class:
    • Access Checker: Checks access flags for fields, classes and methods.
    • Verifier:Verifies that the classes have legal bytecode.
    • Security Manager: Prohibits actions like accessing the file system.
  • In Java, there is a validation check to ensure that classes are allowed to inherit from each other. But, there is a special class in Java called Reflection, which allows for the ability to modify or examine the behavior of classes and interfaces at runtime. Naturally, this has to bypass all of the security mechanisms in order to do this. The Security Manager bans the usage of this API in the web too.
  • To prevent the complete abuse of this API, the class was made private and only accessible by sun.reflect packages. So, what is the issue? Well, we can use a class that extends the reflection API. Now, we can bypass all access controls for class usage and extension :)
  • From this, it was possible to bypass the other two security mechanisms trivially to run invalid Java Code. However, this bypass only worked in versions prior to Java 8 because of some package reorganizing.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed