Comments on: Java JAR Attacks and Features

By: More on GIFARS and Other Dangerous Attacks | GNUCITIZEN

More on GIFARS and Other Dangerous Attacks | GNUCITIZEN — Sun, 03 Aug 2008 16:40:59 +0000

[...] to a persistent XSS plus the socket issue I’ve briefly covered in my previous post and my initial post from a year ago. And you don’t have to use the combo trick. All the attacker needs to do is [...]

By: GIFARs and Other Issues | GNUCITIZEN

GIFARs and Other Issues | GNUCITIZEN — Sun, 03 Aug 2008 15:20:17 +0000

[...] (especially reporters) about the GIFAR attack since it resembles what I have already spoked about here and presented at the last Black Hat in Amsterdam. So, I decided to shed some light without being [...]

By: Security and the Net · GIFAR updates

Security and the Net · GIFAR updates — Sun, 03 Aug 2008 09:54:01 +0000

[...] John Hesman provides some more details. He also notes that this is not entirely new. One thing he does mention that really scares me is this: It turns out that when an applet makes an [...]

By: ymajoros

ymajoros — Mon, 02 Jun 2008 10:10:44 +0000

No one seems to have noticed Dave’s feedback. If you base your security on ip addresses… well… I know many people do just that, but it still is quite stupid. An IP address is an attribute of some machine on a network, which is quite different from a secure credential identifying some user. There could be a lot of users behind the same IP, a user could use multiple computers from different locations and still should have legit access… So, it isn’t a safe, secure and flexible way of identifying users.

By: pdp

pdp — Tue, 11 Mar 2008 07:04:20 +0000

Mihai, none of the libraries that I’ve tested which check whether an uploaded blob is a valid issue has detected the malicious JAR attached. This is the fact. But if you don’t believe me, go and do some experiments on your own.

I think that you misunderstood the post.

By: Mihai

Mihai — Tue, 11 Mar 2008 02:28:29 +0000

I think you missed the point that bug made. The friggin’ applet still executes within the client. It doesn’t suddenly acquire server priviledges. You’d have to spawn a virtual machine on the server machine and have a class run in it, that’s the kind of support your applet would need in order to poke around. Yeah, they talk about that on the web — if an applet requires connecting to something other than its originating host, some process on the server must help it. You’re confusing some unrelated concepts here.

If you seem to think that this upload-then-run-me issue is some sort of an Achile’s heel, well, it is not. Simple sanitizing techniques in your file uploading should do the trick. Check out the bugtraq lists every now and then.

By: Problemi seri per la nuova versione di Gmail « BROKER DIGITALE

Problemi seri per la nuova versione di Gmail « BROKER DIGITALE — Wed, 21 Nov 2007 17:04:11 +0000

[...] recente segnalazione su gnucitizen.org ha infine recentemente lanciato un nuovo allarme per gli utenti di Gmail. Secondo quanto riportato [...]

By: vaj

vaj — Thu, 15 Nov 2007 01:43:00 +0000

bug, noone cares about hacking the individual server. Web 2.0 services are distributed, the attack surface is vast. get with the times, ./grandpa (-;

By: justpassingthrough

justpassingthrough — Wed, 14 Nov 2007 23:11:02 +0000

Gah. Apparently your board supports html.
was the proper snippet.

By: justpassingthrough

justpassingthrough — Wed, 14 Nov 2007 23:08:09 +0000

So, therefore, all you have to do to exploit is get someone to load a malicious page with , since codebase takes priority? This seems a little too good to be true.

By: Amped Freestyle Snowboarding » Java JAR Attacks and Features

Amped Freestyle Snowboarding » Java JAR Attacks and Features — Wed, 14 Nov 2007 16:47:31 +0000

[...] Jetpacks wrote an engrossing place today onHere’s a hurried excerptWhile activity with the JAR prescript for Firefox (here and here), I also did whatever enquiry on the artefact Java handles jars, as well. To my surprise, the Java runtime seems to posses whatever rattling engrossing features which haw easily be … [...]

By: pdp

pdp — Wed, 14 Nov 2007 13:56:24 +0000

Applets are not allowed to open network connections to any computer, except for the host that provided the .class files. This is either the host where the html page came from, or the host specified in the codebase parameter in the applet tag, with codebase taking precendence. Applet Security

By: Bug

Bug — Wed, 14 Nov 2007 13:52:29 +0000

This is utter rubbish, you can’t learn anything about the server (the jar is executed on the client NOT the server. If the applet did try and probe the server from the client, you couldn’t learn anything you could more simply learn by just running a port scanning tool) and the Java sand-box stops the applet on the client machine probing the client machine.

If you are suggesting you get someone on the server side to run the applet, whoopie do, the applet still can’t pass that information on as it can’t connect to anything other than itself.

I’m sorry, this is total nonsense.

By: pdp

pdp — Wed, 14 Nov 2007 13:44:56 +0000

btw, RobW, I’ve certainly seen setups like that. However, I am not saying that this is the ultimate attack vector. I am saying that it is something to keep in mind. I mean, forging TCP is a hard job on its own but it does not mean that no one has ever used the attack vector in the past.

By: pdp

pdp — Wed, 14 Nov 2007 13:42:25 +0000

flipper, you don’t load the applet from the an HTML inside the JAR. you should load it from an external page.

RobW, you’ve got it wrong. I will get back with a working example as soon as I get some of my other stuff on track.

The technique is very simple. It is all described in the post above.

By: RobW

RobW — Wed, 14 Nov 2007 10:28:51 +0000

The only interesting thing here is that it seems like Java will accept JAR files ending in “.jpg”… is that right? You didn’t say that explicitly, so I’m unsure.

As far as an attack vector, it’s very weak (as you mentioned) — it would require a server that outside users can upload files to, but which ALSO has some valuable services unprotected against internal users. I’ve certainly never seen a setup anything like that. It’s common sense… a public-facing webserver, PARTICULARLY if you allow uploads of files that it then hosts! — is occasionally vulnerable to flaws in PHP, your CMS, Apache, etc. etc., so you’d never put your important private company data on it, and you’d also never give it free access to the rest of your internal network (which is implied if your internal users can access it freely, which you require).

So if someone actually has the exact setup you need, I’ll bet there are much simpler ways to crack them than tricking a user to visiting your custom-built applet page!

Last thing: what did you mean by this? “As I side note, the same technique can be used to trick application into running arbitrary Java classes.”

By: flipper

flipper — Wed, 14 Nov 2007 10:08:43 +0000

pdp, i tried to figure out how this works?
i was playing with a jar applet embeded in a jpeg imageg (copy /b…all of that) but in a IMG tag call from html file..nothing happens. I thing there must be a way of triggering the applet, but it doesnt seem to be an easy task at all..in case that’s even possible.
Thank you.

By: pdp

pdp — Wed, 14 Nov 2007 06:35:35 +0000

vaj, read the post again! I’ve put it quite clearly there!

By: vaj

vaj — Wed, 14 Nov 2007 00:40:23 +0000

so you say that if i send user a web page with link to

http://10.0.0.1/level/15/exec/-/configure/-/banner/motd/xssworm.com

and there is cisco router on 10.0.0.1 and cisco router has http bug, user can deliver payload to internal vulnerable IP ? heheh no news here (-;

IF #2 - tricking the user into visiting the malicious resource

what is a ‘user’ ? what is a ‘visit’ to a resource? rss embed into everything. internet pushing and pulling now. vista desktop make ‘visit’ on behalf of user and follow links and submit cookie and ‘click’ things. so does igoogle rojo netvibe yahoo live and more.

link embedded in any page gets ‘clicks’ from automatic spiders and bots

browser have widget to precache favorite page or predictive surf and restore session. we have tracking cookie and token everywhere that persist across many domain. user computer is clicking on links all day long without interaction therefore xss is important vector for delivery of serious hacking pdp!

By: Dave

Dave — Mon, 12 Nov 2007 12:33:00 +0000

The flaw here is not really with Java but rather with insecure Firewall configuration / insecure permission models.

If you trust machines on your local network then you had better make sure that those machines are secure. Better yet, don’t use any sort if IP address based security model. IP addresses can be spoofed or even stolen and hence don’t make for good authentication.