Java thing

[BesigedB]

Well, I've raised quite a stir here without really checking it out.

Could someone please post a proof-of-concept java applet that reads a value from the registry and passes it onto some javascript, heck you can see the code used by the person in the first post here.

[pablissimo]

I'd have thought the applet would have to have been both signed and accepted to be run on your machine, something you're asked every time an applet tries to run that requires any kind of external contact (ex. jIRC trying to use sockets) unless your secutiry level is on Low, and if it is you deserve to get burned.

Is this not what the whole sandboxing thing it designed to prevent? I've looked at that thread but it seems improbable at best... I'll investigate though, sounds interesting

[BesigedB]

You could just decompile *link removed*

if you need the .class unfortunatly i didnt save it

[pablissimo]

Is that confirmed to work or is it hoaxy material?

And I've got the classes out, decompiling now

[BesigedB]

its not confirmed either way

[pablissimo]

I'd want some kind of view on this from MT or Megla before I start posting code from this if it is indeed an exploit, there seems to be a class hidden within the file in the form of a byte array which is created at runtime, I'll give decoding that a go but want to see where we stand with posting bits like...

[MT]

Full disclosure mate, go for it ... I'm intrigued to see whether Sun's sandbox is so easily broken tbh.

[meglamaniac]

Yep go right ahead.
If it IS an exploit then they're commiting theft anyway (by stealing the keys without which UT is pretty much worthless) so what're they going to do? Sue? I think not.

[pablissimo]

The hidden class doesn't fit into one message here =/ So I'll try asciifying it and posting the code...

[BesigedB]

Quote:

Originally posted by What about Bob
DaZeD, while in a perfect world what you say is true, the fact of the matter is there are flawed java machine implementations out there. I decompiled the unreal.jar file and guess what? It takes advantage of a flaw in the MS JVM to elevate it's privledge level so that it CAN read from the registry. What I am not sure of is whether this uses one of the holes that was plugged in the recent JVM update from MS or if it uses one of the other 6 holes that were reported but not fixed. I'll have to wait until later tonight to do some real world testing to see if this works on the patched JVM or not.

If anyone from Epic wants the decompiled code just let me know but I am not going to post it here.

[pablissimo]

Quote:

Originally posted by BesigedB

Tis what I was about to post =//

It basically just tells the VM that it is, in the words of the code, 'fullyTrusted' =/

[Structural Integrity]

I always believed that the browser also was a form of security to protect the filesystem when running applet. Hence why applets cannot acces files. Or is this different with registry keys?

[BesigedB]

Quote:

Originally posted by pablissimo
Tis what I was about to post =//

It basically just tells the VM that it is, in the words of the code, 'fullyTrusted' =/

does it even bypass the settings if you disabled java?

[pablissimo]

Quote:

Originally posted by BesigedB
does it even bypass the settings if you disabled java?

If you've totally disabled Java, the applet won't run so the code won't work, I hope. Though it seems that whatever security settings you're using it'll work if Java is enabled

[BesigedB]

thats fab, they deleted the thread

[pablissimo]

Attention: Due to recent forum load increases we are requiring you to register in order to view the forums. Registration is Free! Click Here to register.

[BesigedB]

they moved it to a hidden forum

[pablissimo]

=/

Still, was an interesting little journey

[BesigedB]

and proves that you shouldnt trust the MS JRE. Does the sun varient operate under IE?

[W]

Microsoft's concept of "sandboxing" is "don't tell the user how it works"

http://www.microsoft.com/technet/tre...n/MS02-069.asp

[BesigedB]

Quote:

A vulnerability that could enable an attacker to construct an URL that, when parsed, would load a Java applet from one web site but misrepresent it as belonging to another web site. The result would be that the attacker’s applet would run in the other site’s domain. Any information the user provided to it could be relayed back to the attacker.

so im safe