[SE-2014-02] Google App Engine Java security sandbox bypasses (Issue- 42)

From: Security Explorations <contact@security-explorations.com>
To: bugtraq@securityfocus.com,fulldisclosure@seclists.org
Subject: [SE-2014-02] Google App Engine Java security sandbox bypasses (Issue- 42)

Hello All,

Oracle Critical Patch Update released yesterday incorporates a fix
for a Java SE 7 vulnerability (Issue 42) that was discovered while
investigating security of Google App Engine. Its technical details
and a POC code can be found at the following address:


Issue 42 is caused by improper initialization of interface method
slots in a HotSpot VM. As a result, protected instance methods can
be successfully used as interface methods. This violates the Java
Virtual Machine Language Specification [1], which states that "if
the selected method is not public, invokeinterface should throw an

GAE weakens standard Java security model by allowing custom Class
Loaders. In order to protect against direct exploitation of this
"feature", access to defineClass methods of java.lang.ClassLoader
class and it subclasses is restricted in Google environment [2].
Issue 42 can be used to directly invoke such methods with the use
of interfaces. As a result, user provided classes can be defined
outside of a GAE Class Sweeper sandbox and Java security manager
can be completely turned off.

It's also worth to note that in Mar 2015, Google indicated that it
"has other mitigations in place that prevent Issue 21 [1+ years
old JRE with 100+ unpatched security vulnerabilities] from being
exploitable". This is the second time we show these mitigations are
not working as intended [3]. What is however more interesting is
that rather mediocre Java SE issue can be successfully exploited
in a straightforward way in GAE environment, just because Google
has chosen to "tweak" a standard Java security model a little bit.

Thank you.

Best Regards,
Adam Gowdiak

Security Explorations
"We bring security research to the new level"

[1] The Java Virtual Machine Specification, Java SE 7 Edition
[2] "Google App Engine Java security sandbox bypasses", technical report
[3] Proof of Concept Code for Issue 21 (POC23)

Copyright © 1995-2020 LinuxRocket.net. All rights reserved.