Uploaded image for project: 'River (Retired)'
  1. River (Retired)
  2. RIVER-205

LookupDiscovery can give untrusted code access to privileged threads

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • None
    • River_2.1.2
    • net_jini_discovery
    • Security Level: Security risk, visible to anyone (Issues identified as security risk but for which a patch is available)
    • None
    • 6357961

    Description

      Bugtraq ID 6357961
      LookupDiscovery uses a TaskManager and WakeupManager instance which it may retrieve from a Configuration object that is passed to it at construction time. Some tasks that it generates using these utilities (DecodeAnnouncementTask, UnicastDiscoveryTask) are done within a thread with raised privileges. If the TaskManager and WakeupManager needs to spawn threads to dispatch the task, they will be spawned with the same security context as the privileged thread. Untrusted code can construct a LookupDiscovery instance with a Configuration object that returns TaskManager and WakeupManager instances that it has a handle to. It can then add new tasks (using say dynamic proxy or other trusted code) to its TaskManager and WakeupManager instances, which get executed with the security context of the privileged LookupDiscovery thread.

      Also note that the LookupDiscovery thread which generates the tasks retains the DomainCombiner that was present at the time of instantiation, so there is the theoretical possibility of exploiting, say the JAAS Subject if the combiner were a SubjectDomainCombiner.

      Suggested Fix:
      LookupDiscovery should restore the security context (that it snap shots at instantiation time) before it adds tasks to TaskManager and WakeupManager. We need to ensure that existing operations within those tasks do not need elevated privilege. If they do, those operations may be performed in doPrivileged blocks.

      Attachments

        1. RIVER-205-215.patch
          5 kB
          Thomas Vinod Johnson

        Issue Links

          Activity

            People

              vinodjohnson Thomas Vinod Johnson
              rjmann Ronald Mann
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: