lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 02 Apr 2003 04:08:25 +0200
From: "David F. Madrid" <conde0@...efonica.net>
To: bugtraq@...urityfocus.com
Subject: Java and Javascript




Opera and Netscape browsers allow you to include java methods calls in your 
javascript .
  As Javascript has support for objects you can use objects returned by 
these calls in your scripts .

I have been looking for information about the possibly security 
implications ( and vulnerabilities
published ) that this could have , but have found nothing . Doing some test 
by myself this is but
I have found .

Opera 6.01

If you use Opera 6.01 you can make calls to Java exec function , which 
executes the command
line passed to it . This means you can execute any program . Here is a 
small demonstration

http://usuarios.lycos.es/idoru/petaopera.html

The second link executes windows calculator . The first link executes 
verifier.exe , a W2000/XP
program , causing a buffer overflow in it ( W2000 server is full of command 
line buffer overflows ),
this means that just visiting a webpage ( a malicious site or a post in a 
forum ) code can be
executed in your machine with user priviliges .

Besides , playing with sockets from javascript you can obtain the local Ip 
address with

var host=java.net.InetAddress.getLocalHost();

and use it to connect to an arbitrary local tcp port on your IP . If you 
are connected to a LAN ,
you can connect with every socket in your LAN interface.This means that 
with viewing some
post in a forum , a script can connect to a port on your PC and send and 
recieve data ( as
classes like InputDataStram can be used as well ). A new type of cross site 
scripting focused
in exploiting vulnerable services .

An example can be found here , connection to port 139 can be tracked with 
netstat ( before
closing the browser )

http://usuarios.lycos.es/idoru/sockets.html


Opera 7.02 and Netscape 7.02

Both browsers don´t allow to make java calls to determinate methods . Well 
, are allowed
  by they return a null . You can`t execute exec or delete , just methods 
like java.io.File.exists()
or java.io.File.list() but you can still execute sockets .

Fourtunately , I wasn´t able of retriving another IP different from 
localhost when the script is
executed in the server , but it works fine if you email the webpage , 
establishing the connection
with port 139 . I don´t know if there is an alternative method of 
retrieving a visitor's IP address from
java or javascript but if there is this can be exploitable via webpage .

Email sockets.html to you or open it locally and you will see a connection 
with netstat .



Regards ,

David F.Madrid ,
Madrid , Spain

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ