Object hijack

• Description

This attack consists in a technique to create objects without constructors’ methods by taking advantage of clone() method of Java based applications.

Case a certain class implements cloneable() method declared as public, but doesn’t has a public constructor method nor declared as final, it is possible to extent it into a new class and create objects using the clone() method.

The clonable() method certificates that the clone() method functions correctly. A cloned object has the same attributes (variables values) that the original object, but the objects are independents.

• Severity

Medium to High

• Likelihood of exploitation

Medium

• 
  Examples

  A Java applet from certain application is acquired and subverted by an attacker. Then, he makes the victim accepts and runs a Trojan or malicious code that was prepared to manipulate non-final objects’ state and behavior. This code is instantiated and executed continuously using default JVM on victim’s machine. When the victim invokes the Java applet from the original application using the same JVM, the malicious process could be mixed with original applet, thus it modifies values of non-final objects and executes under victim’s credentials.

  In the following example, the class “any_class” is declared as final and “server_addr” variable is not:

  public final class any_class extends class_Applet {
  public URL server_addr;
  …
  }
  

  In this case, the value of “server_addr” variable could be set by any other function that has access to it, thus changing the application behavior. A proper way to declare this variable is:

  public class any_class extends class_Applet {
  public final URL server_addr;
  …
  }
  

  When a variable is declared as final its value cannot be modified.