Why do we care? Well, unlike DNS pinning with Flash sockets, we can actually make request to ports less than 1024 and additionally, Java provides us with a huge set of libraries for doing everything from communicating with database servers to communicating with RMI servers.
Interestingly enough, a recent post by the NGS guys that was on seclists detailed how this was vulnerable in another way, which appeared to not have to rely on a new load of the JVM. Here's a comment from that post:
By specifying a codebase URI prefixed by "verbatim:" it is possible to
load an applet from a remote location but have the browser plugin believe
it has been loaded from the local host. This allows an untrusted applet
to connect to and attempt to exploit network services running on the local
host. It should be noted that unlike binary sockets in Flash 9, an applet
can connect to any port, not just those greater than 1024.
At the time of reporting this issue, NGS provided Sun with a demonstration
applet that exploited MS06-040 ("Vulnerability in Server Service could
allow remote code execution") on a vulnerable XP SP1 system.
Fortunately for all of us who have Java installed on our systems, this has now been patched by Sun, but I find it interesting that Java has its own URIs that it respects, like the verbatim: URI. Very interesting indeed.
Interesting. And we can use UDP too, on Java.
ReplyDeleteSounds like a cool presentation, but Malaysia's a bit far to travel :) Anyway, is this an updated (and implimented) varient of what Josh Soref hypothisized in 2003?
ReplyDeletehttp://viper.haque.net/~timeless/blog/11/
It's hard to get the complete picture from only the slides.
I've had a few too many drinks tonight to read that article completely, but I think this is something quite different. What we've effectively done is cached an applet for the JVM at natemcfeters.com. Then we simply load a new JVM (say with a different browser through firefoxurl:// or something similar) or kill the current JVM and hope that they will load a new one. Prior to this happening, we've obviously changed the IP address for natemcfeters.com.
ReplyDeleteThe NGS attack is even more interesting since it is a URI that actually convinces the JVM to load an applet without, apparently, the Same Origin Policy restrictions.
The attack used in our presentation makes use of the xs-sniper tool, which is an advanced xss proxy (hopefully Billy will release it soon). Basically in the attack example it allows us to interact through javascript to the the applet code we've loaded on the victim's machine, which has been DNS rebound. So, we can do anything Java can at that point.
Malaysia was a long way away, but I definitely recommend the HITB conference to all researchers. It was a great time for Billy and I. Got to meet Phiber Optik, Emmanuel Goldstein, Window Snyder, etc. A lot of fun. Also, haggling with the locals for fake watches can be fun too.
Great work guys.
ReplyDeleteIt's really interesting, I will study more about it.
Thanks.
Hi guys, great work!
ReplyDeleteWas the xs-sniper tool release yet? I could not find it anywhere. It would be great to have for POCs/Demos/Presentations for my company. (If you want, I'd sign an NDA)
Thanks.
Btw. the KL HITB talk was also really great and eye-opening, enjoyed it very much (saw the video)
[...] at Hack in the Box Malaysia in 2007 on how this pinning could be broken. There’s a nice excerpt on Billy’s XS-Sniper blog, which I used to post on, that covers the subject in depth. The basics of it were as [...]
ReplyDelete[...] this attack, but if you want to see more on it view my previous post in this series, as well as an article I posted on Billy’s XS-Sniper blog. What’s important to recognize is what they attack accomplished. [...]
ReplyDelete