Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Try our Premium Alert Service
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service

Category:   Application (Generic)  >   Sun Java Application Server (Sun ONE) Vendors:   Sun
Sun Java 2 Micro Edition (J2ME) Lets Remote Users Bypass Sandbox Restrictions
SecurityTracker Alert ID:  1011898
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 22 2004
Impact:   Execution of arbitrary code via network, Root access via network
Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Sun Java 2 Micro Edition (J2ME). A remote user can create Java code that will bypass Java security mechanisms.

Adam Gowdiak reported that the Connected Limited Device Configuration (CLDC) implementation contains flaws in the K Virtual Machine (KVM) bytecode verifier. A remote user can bypass Java KVM sandbox security mechanisms and access operating system functions and data.

For example, a remote user can create malicious Java code that will retrieve data (e.g., phonebook list, SMS messages) from the phone, establish connections to the Internet, write to flash memory on the phone, install software, and modify operating system interprocess communications.

Mobile phones from Nokia, Siemens, Panasonic, Samsung, Motorola, and others may be affected.

More information is available in the author's presentation from the Hack in the Box conference:

Impact:   A remote user can bypass the Java KVM sandbox restrictions to take full control of the phone.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Java

Message History:   None.

 Source Message Contents

Subject:  [Full-Disclosure] J2ME security vulnerabilities

Hello all,

Since I received information from SUN Microsystems that they did not 
plan to release
Sun Alert for the issues I found in their CLDC [1] reference 
implementation, I would
like to announce the following.

I found two very serious security vulnerabilities in Java technology for 
devices (Java 2 Micro Edition) that might be affecting about 250 
millions [2] of
mobile phones  coming from Nokia, Siemens, Panasonic, Samsung, Motorola 
and others
[3]. Information about these flaws has been published at Hack In the Box 
Conference [4] earlier this month in Kuala Lumpur, Malaysia.

Both vulnerabilities are implementation flaws in bytecode verifier 
component of
KVM (Java Virtual Machine for mobile devices) developed by SUN 
Microsystems. Each
of the flaws can be used to completely break Java security (Java type 
and memory
safety) on a mobile device and to obtain access to the phone data and 
operating system's functionality.

I verified on my Nokia DCT4 phone that malicious code exploiting one of 
the flaws
can steal data from the phone (i.e. phonebook, SMS messages), establish 
with the Internet, send arbitrary SMS messages, write permanent memory 
of the phone
(FLASH), interfere with or intercept IPC communication occuring between 
native Nokia
OS tasks, install resident code on the phone. Any of the aforementioned 
actions can
be conducted without user knowledge and permission.

I would like to emphasize that although escaping the KVM sandbox and 
breaking Java
type and memory safety is almost straightforward, conducting malicious 
actions on
a given device is rather difficult as it usually requires deep knowledge 
about the
internal operation of the underlying OS (I spent four months reverse 
Nokia OS before I could do anything malicious from Java appplication on 
my phone).

I plan to release a research paper with all the details about the flaws 
into my
HITB talk, in a couple of months (1Q 2005).

Best Regards
Adam Gowdiak

Security Team of


Full-Disclosure - We believe in it.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, LLC