Exploitable Java functions

java security java-me jakarta-ee
rook picture rook · Dec 2, 2010 · Viewed 8.6k times · Source

This question is similar to Exploitable PHP Functions.

Tainted data comes from the user, or more specifically an attacker. When a tainted variable reaches a sink function, then you have a vulnerability. For instance a function that executes a sql query is a sink, and GET/POST variables are sources of taint.

What are all of the sink functions in the Java class library (for any flavor of Java)? I am looking for functions that introduce a vulnerability or software weakness. I am particularly interested in Remote Code Execution vulnerabilities. Are there whole classes/libraries that contain nasty functionally that a hacker would like to influence? How do people accidentally make dangerous Java code?

Answer

Sami Koivu picture Sami Koivu · Dec 4, 2010

Here's a list based on my personal research into Client-side Java security in general, and using the Eclipse IDE to see which methods do SecurityManager checks.

ClassLoaders define classes (=arbitrary java code execution):

java.lang.ClassLoader.defineClass
java.net.URLClassLoader

= code execution

Java Beans Introspection may divert ClassLoaders into loading classes from an untrusted source (example vuln - cve-2010-1622)

java.beans.Instrospector.getBeanInfo

= code execution

File access

java.io.File (constructor)
java.io.File.delete
java.io.File.renameTo
java.io.File.listFiles
java.io.File.list

= deleting/renaming files, directory listing

File stream/reader classes

java.io.FileInputStream
java.io.FileOutputStream
java.io.FileReader
java.io.FileWriter
java.io.RandomAccessFile

=File read/write access

Java System Properties

System.setProperty
System.getProperties
System.getProperty

=Some system properties might contain some information that's almost sensitive, and some system properties might alter the execution of critical stuff, I don't have examples, though

Loading native libraries

System.load
System.loadLibrary

= Arbitrary code execution

Executing operating system executables

Runtime.exec
ProcessBuilder (constructor)

Generating native system input events

java.awt.Robot.keyPress/keyRelease
java.awt.Robot.mouseMove/mousePress/mouseRelease

(Maybe far-fetched since a server might not even have a graphical environment)

Java reflection - accessing arbitrary (even private) fields and methods

java.lang.Class.getDeclaredMethod
java.lang.Class.getDeclaredField
java.lang.reflection.Method.invoke
java.lang.reflection.Field.set
java.lang.reflection.Field.get

= From disclosing sensitive information to eventual code execution, depending on the circumstances

Java scripting engine

javax.script.ScriptEngine.eval

=arbitrary code execution

Related questions

Java Error: "Your security settings have blocked a local application from running"

I'm trying to run this simple HelloWorld code written in Java from my browser (Chrome): public class HelloWorld extends JApplet { public void init() { try { SwingUtilities.invokeAndWait(new Runnable() { public void run() { JLabel lbl = new JLabel("Hello World"); add(lbl); } }); } catch (…

Read More
Why is char[] preferred over String for passwords?

In Swing, the password field has a getPassword() (returns char[]) method instead of the usual getText() (returns String) method. Similarly, I have come across a suggestion not to use String to handle passwords. Why does String pose a threat to …

Read More
How to retrieve a file from a server via SFTP?

I'm trying to retrieve a file from a server using SFTP (as opposed to FTPS) using Java. How can I do this?

Read More