Comments on: Java JAR Attacks and Features

By: On GIFARs | SecurityGuy.org

On GIFARs | SecurityGuy.org — Fri, 07 Jan 2011 10:04:18 +0000

[...] that you can make a JAR look like many other file types. He is not alone in this observation; PDP has also been working on similar ideas. Now many websites allow you to upload specific types of [...]

By: Problemi seri per la nuova versione di Gmail | Gestione Documenti

Problemi seri per la nuova versione di Gmail | Gestione Documenti — Sat, 18 Sep 2010 14:01:10 +0000

[...] recente segnalazione su gnucitizen.org ha infine recentemente lanciato un nuovo allarme per gli utenti di Gmail. Secondo quanto riportato [...]

By: m

Tue, 03 Mar 2009 00:11:11 +0000

How many worthwhile targets are boxes that someone would be running a browser on at all?

Honestly, as far as I can tell, the most interesting thing here is that java will run stuff with strange extensions. Which could be interesting, seeing as Netscape will automatically download files that it doesn’t recognize an extension for.

No matter what, this seems to be worthless without some form of social engineering. And there are already plenty of nasty things you can do if you can get someone to point a browser at your website.

By: pdp

pdp — Mon, 26 Jan 2009 10:51:03 +0000

thanks, I will have a look.

By: Inferno

Inferno — Mon, 26 Jan 2009 03:53:11 +0000

Hi pdp,

I have found another server side fix for the GIFAR issue and also referenced this article at my blog
http://securethoughts.com/?p=35.

Thanks,
Inferno

By: Easy Server Side Fix for the GIFAR security issue « SecureThoughts.com - Inferno's Blog on Application Security

Sat, 24 Jan 2009 22:59:23 +0000

[...] The GIFAR issue was found by security researchers Billy Rios and Nate Mcfeters. To summarize the exploit, an attacker uploads a malicious image with embedded jar content on a target domain. This malicious image opens in any image viewer correctly and so it bypasses any content validation engine used by a web application. Then an attacker references this malicious image in the applet code on his or her evil site, establishing a cross-domain communication channel with the target domain. This attack is very serious because it breaks the Same Origin Policy principle. Also, this problem is not just confined to images, it is applicable to other file types such as doc, etc. Another great writeup on Jar File Issues is on pdp’s blog. [...]

By: My Black Hat Talk | GNUCITIZEN

My Black Hat Talk | GNUCITIZEN — Wed, 10 Sep 2008 10:03:40 +0000

[...] in-depth techniques based on some of the research I presented on Black Hat Amsterdam, such as the JPG + JAR evil combo. If you are interested in client-side security issues you might want to attend these talks [...]

By: More on GIFARS and Other Dangerous Attacks | GNUCITIZEN

More on GIFARS and Other Dangerous Attacks | GNUCITIZEN — Sun, 03 Aug 2008 16:40:59 +0000

[...] to a persistent XSS plus the socket issue I’ve briefly covered in my previous post and my initial post from a year ago. And you don’t have to use the combo trick. All the attacker needs to do is [...]

By: GIFARs and Other Issues | GNUCITIZEN

GIFARs and Other Issues | GNUCITIZEN — Sun, 03 Aug 2008 15:20:17 +0000

[...] (especially reporters) about the GIFAR attack since it resembles what I have already spoked about here and presented at the last Black Hat in Amsterdam. So, I decided to shed some light without being [...]

By: Security and the Net · GIFAR updates

Security and the Net · GIFAR updates — Sun, 03 Aug 2008 09:54:01 +0000

[...] John Hesman provides some more details. He also notes that this is not entirely new. One thing he does mention that really scares me is this: It turns out that when an applet makes an [...]

By: ymajoros

ymajoros — Mon, 02 Jun 2008 10:10:44 +0000

No one seems to have noticed Dave’s feedback. If you base your security on ip addresses… well… I know many people do just that, but it still is quite stupid. An IP address is an attribute of some machine on a network, which is quite different from a secure credential identifying some user. There could be a lot of users behind the same IP, a user could use multiple computers from different locations and still should have legit access… So, it isn’t a safe, secure and flexible way of identifying users.

By: pdp

pdp — Tue, 11 Mar 2008 07:04:20 +0000

Mihai, none of the libraries that I’ve tested which check whether an uploaded blob is a valid issue has detected the malicious JAR attached. This is the fact. But if you don’t believe me, go and do some experiments on your own.

I think that you misunderstood the post.

By: Mihai

Mihai — Tue, 11 Mar 2008 02:28:29 +0000

I think you missed the point that bug made. The friggin’ applet still executes within the client. It doesn’t suddenly acquire server priviledges. You’d have to spawn a virtual machine on the server machine and have a class run in it, that’s the kind of support your applet would need in order to poke around. Yeah, they talk about that on the web — if an applet requires connecting to something other than its originating host, some process on the server must help it. You’re confusing some unrelated concepts here.

If you seem to think that this upload-then-run-me issue is some sort of an Achile’s heel, well, it is not. Simple sanitizing techniques in your file uploading should do the trick. Check out the bugtraq lists every now and then.

By: Problemi seri per la nuova versione di Gmail « BROKER DIGITALE

Problemi seri per la nuova versione di Gmail « BROKER DIGITALE — Wed, 21 Nov 2007 17:04:11 +0000

[...] recente segnalazione su gnucitizen.org ha infine recentemente lanciato un nuovo allarme per gli utenti di Gmail. Secondo quanto riportato [...]

By: vaj

vaj — Thu, 15 Nov 2007 01:43:00 +0000

bug, noone cares about hacking the individual server. Web 2.0 services are distributed, the attack surface is vast. get with the times, ./grandpa (-;

By: justpassingthrough

justpassingthrough — Wed, 14 Nov 2007 23:11:02 +0000

Gah. Apparently your board supports html.
was the proper snippet.

By: justpassingthrough

justpassingthrough — Wed, 14 Nov 2007 23:08:09 +0000

So, therefore, all you have to do to exploit is get someone to load a malicious page with , since codebase takes priority? This seems a little too good to be true.

By: Amped Freestyle Snowboarding » Java JAR Attacks and Features

Amped Freestyle Snowboarding » Java JAR Attacks and Features — Wed, 14 Nov 2007 16:47:31 +0000

[...] Jetpacks wrote an engrossing place today onHere’s a hurried excerptWhile activity with the JAR prescript for Firefox (here and here), I also did whatever enquiry on the artefact Java handles jars, as well. To my surprise, the Java runtime seems to posses whatever rattling engrossing features which haw easily be … [...]

By: pdp

pdp — Wed, 14 Nov 2007 13:56:24 +0000

Applets are not allowed to open network connections to any computer, except for the host that provided the .class files. This is either the host where the html page came from, or the host specified in the codebase parameter in the applet tag, with codebase taking precendence. Applet Security

By: Bug

Bug — Wed, 14 Nov 2007 13:52:29 +0000

This is utter rubbish, you can’t learn anything about the server (the jar is executed on the client NOT the server. If the applet did try and probe the server from the client, you couldn’t learn anything you could more simply learn by just running a port scanning tool) and the Java sand-box stops the applet on the client machine probing the client machine.

If you are suggesting you get someone on the server side to run the applet, whoopie do, the applet still can’t pass that information on as it can’t connect to anything other than itself.

I’m sorry, this is total nonsense.