|
3 Mar 2003, 17:04
|
#1
|
Darling
Join Date: Dec 2000
Location: Edinburgh
Posts: 890
|
Java applet allowed registry access?
Well, I've raised quite a stir here without really checking it out.
Could someone please post a proof-of-concept java applet that reads a value from the registry and passes it onto some javascript, heck you can see the code used by the person in the first post here.
Last edited by BesigedB; 3 Mar 2003 at 19:38.
|
|
|
3 Mar 2003, 18:12
|
#2
|
Henry Kelly
Join Date: Apr 2000
Posts: 7,374
|
I'd have thought the applet would have to have been both signed and accepted to be run on your machine, something you're asked every time an applet tries to run that requires any kind of external contact (ex. jIRC trying to use sockets) unless your secutiry level is on Low, and if it is you deserve to get burned.
Is this not what the whole sandboxing thing it designed to prevent? I've looked at that thread but it seems improbable at best... I'll investigate though, sounds interesting
|
|
|
3 Mar 2003, 18:13
|
#3
|
Darling
Join Date: Dec 2000
Location: Edinburgh
Posts: 890
|
You could just decompile *link removed*
if you need the .class unfortunatly i didnt save it
Last edited by BesigedB; 4 Mar 2003 at 08:50.
|
|
|
3 Mar 2003, 18:20
|
#4
|
Henry Kelly
Join Date: Apr 2000
Posts: 7,374
|
Is that confirmed to work or is it hoaxy material?
And I've got the classes out, decompiling now
|
|
|
3 Mar 2003, 18:28
|
#5
|
Darling
Join Date: Dec 2000
Location: Edinburgh
Posts: 890
|
its not confirmed either way
|
|
|
3 Mar 2003, 18:42
|
#6
|
Henry Kelly
Join Date: Apr 2000
Posts: 7,374
|
I'd want some kind of view on this from MT or Megla before I start posting code from this if it is indeed an exploit, there seems to be a class hidden within the file in the form of a byte array which is created at runtime, I'll give decoding that a go but want to see where we stand with posting bits like...
|
|
|
3 Mar 2003, 18:44
|
#7
|
/dev/zero Retired Mod
Join Date: May 2000
Posts: 415
|
Full disclosure mate, go for it ... I'm intrigued to see whether Sun's sandbox is so easily broken tbh.
__________________
#linux : Home of Genius
<idimmu> ok i was chained to a desk with this oriental dude
|
|
|
3 Mar 2003, 18:47
|
#8
|
Born Sinful
Join Date: Nov 2000
Location: Loughborough, UK
Posts: 4,059
|
Yep go right ahead.
If it IS an exploit then they're commiting theft anyway (by stealing the keys without which UT is pretty much worthless) so what're they going to do? Sue? I think not.
__________________
Worth dying for. Worth killing for. Worth going to hell for. Amen.
|
|
|
3 Mar 2003, 18:48
|
#9
|
Henry Kelly
Join Date: Apr 2000
Posts: 7,374
|
The hidden class doesn't fit into one message here =/ So I'll try asciifying it and posting the code...
|
|
|
3 Mar 2003, 19:04
|
#10
|
Darling
Join Date: Dec 2000
Location: Edinburgh
Posts: 890
|
Quote:
Originally posted by What about Bob
DaZeD, while in a perfect world what you say is true, the fact of the matter is there are flawed java machine implementations out there. I decompiled the unreal.jar file and guess what? It takes advantage of a flaw in the MS JVM to elevate it's privledge level so that it CAN read from the registry. What I am not sure of is whether this uses one of the holes that was plugged in the recent JVM update from MS or if it uses one of the other 6 holes that were reported but not fixed. I'll have to wait until later tonight to do some real world testing to see if this works on the patched JVM or not.
If anyone from Epic wants the decompiled code just let me know but I am not going to post it here.
|
|
|
|
3 Mar 2003, 19:10
|
#11
|
Henry Kelly
Join Date: Apr 2000
Posts: 7,374
|
Quote:
Originally posted by BesigedB
|
Tis what I was about to post =//
It basically just tells the VM that it is, in the words of the code, 'fullyTrusted' =/
|
|
|
3 Mar 2003, 19:12
|
#12
|
Rawr rawr
Join Date: Dec 2000
Location: Upside down
Posts: 5,300
|
I always believed that the browser also was a form of security to protect the filesystem when running applet. Hence why applets cannot acces files. Or is this different with registry keys?
|
|
|
3 Mar 2003, 19:12
|
#13
|
Darling
Join Date: Dec 2000
Location: Edinburgh
Posts: 890
|
Quote:
Originally posted by pablissimo
Tis what I was about to post =//
It basically just tells the VM that it is, in the words of the code, 'fullyTrusted' =/
|
does it even bypass the settings if you disabled java?
|
|
|
3 Mar 2003, 19:19
|
#14
|
Henry Kelly
Join Date: Apr 2000
Posts: 7,374
|
Quote:
Originally posted by BesigedB
does it even bypass the settings if you disabled java?
|
If you've totally disabled Java, the applet won't run so the code won't work, I hope. Though it seems that whatever security settings you're using it'll work if Java is enabled
|
|
|
3 Mar 2003, 20:16
|
#15
|
Darling
Join Date: Dec 2000
Location: Edinburgh
Posts: 890
|
thats fab, they deleted the thread
|
|
|
3 Mar 2003, 20:22
|
#16
|
Henry Kelly
Join Date: Apr 2000
Posts: 7,374
|
Attention: Due to recent forum load increases we are requiring you to register in order to view the forums. Registration is Free! Click Here to register.
|
|
|
3 Mar 2003, 20:25
|
#17
|
Darling
Join Date: Dec 2000
Location: Edinburgh
Posts: 890
|
they moved it to a hidden forum
|
|
|
3 Mar 2003, 20:31
|
#18
|
Henry Kelly
Join Date: Apr 2000
Posts: 7,374
|
=/
Still, was an interesting little journey
|
|
|
3 Mar 2003, 20:33
|
#19
|
Darling
Join Date: Dec 2000
Location: Edinburgh
Posts: 890
|
and proves that you shouldnt trust the MS JRE. Does the sun varient operate under IE?
|
|
|
3 Mar 2003, 20:34
|
#20
|
Gubbish
Join Date: Sep 2000
Location: #FoW
Posts: 2,323
|
Microsoft's concept of "sandboxing" is "don't tell the user how it works"
|
|
|
3 Mar 2003, 20:45
|
#21
|
Guest
|
|
|
|
3 Mar 2003, 20:50
|
#22
|
Darling
Join Date: Dec 2000
Location: Edinburgh
Posts: 890
|
Quote:
A vulnerability that could enable an attacker to construct an URL that, when parsed, would load a Java applet from one web site but misrepresent it as belonging to another web site. The result would be that the attacker’s applet would run in the other site’s domain. Any information the user provided to it could be relayed back to the attacker.
|
so im safe
|
|
|
|
All times are GMT +1. The time now is 11:45.
| |