|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Using Java from Javascript
idoru
VIDEOSOFT.NET.UY
Date: Tue Apr 01 2003 - 19:46:26 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Opera and Netscape browsers allow you to include java methods calls in
your javascript . As Javascript has support for objects you can use
objects returned by these calls in your scripts .
I have been looking for information about the possibly security
implications ( and vulnerabilities published ) that this could have , but
have found nothing . Doing some test by myself this is but I have found .
Opera 6.01
If you use Opera 6.01 you can make calls to Java exec function , which
executes the command line passed to it . This means you can execute any
program . Here is a small demonstration
http://usuarios.lycos.es/idoru/petaopera.html
The second link executes windows calculator . The first link executes
verifier.exe , a W2000/XP program , causing a buffer overflow in it (
W2000 server is full of command line buffer overflows ), this means that
just visiting a webpage ( a malicious site or a post in a forum ) code can
be executed in your machine with user priviliges .
Besides , playing with sockets from javascript you can obtain the local Ip
address with
var host=java.net.InetAddress.getLocalHost();
and use it to connect to an arbitrary local tcp port on your IP . If you
are connected to a LAN , you can connect with every socket in your LAN
interface.This means that with viewing some post in a forum , a script can
connect to a port on your PC and send and recieve data ( as classes like
InputDataStram can be used as well ). A new type of cross site scripting
focused in exploiting vulnerable services .
An example can be found here , connection to port 139 can be tracked with
netstat ( before closing the browser )
http://usuarios.lycos.es/idoru/sockets.html
Opera 7.02 and Netscape 7.02
Both browsers donīt allow to make java calls to determinate methods . Well
, are allowed by they return a null . You can`t execute exec or delete ,
just methods like java.io.File.exists() or java.io.File.list() but you can
still execute sockets .
Fourtunately , I wasnīt able of retriving another IP different from
localhost when the script is executed in the server , but it works fine if
you email the webpage , establishing the connection with port 139 . Just
open the file attached and click the link . I donīt know if there is an
alternative method of retrieving a visitor's IP address from java or
javascript but if there is this can be exploitable via webpage .
Regards ,
David F.Madrid ,
Madrid , Spain
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Prometric - More than testing, learning.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
http://www.prometric.com
Prometric, part of The Thomson Corporation, is the leader in
technology-enabled testing and assessment services for information
technology certification, academic admissions, professional licensure and
certifications, computer-based driver's licensing, and corporate testing.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]