Date: Tue, 1 Apr 2003 22:46:26 -0300 From: idoru@VIDEOSOFT.NET.UY To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Opera and Netscape browsers allow you to include java methods calls in
objects returned by these calls in your scripts .
I have been looking for information about the possibly security
implications ( and vulnerabilities published ) that this could have , but
have found nothing . Doing some test by myself this is but I have found .
If you use Opera 6.01 you can make calls to Java exec function , which
executes the command line passed to it . This means you can execute any
program . Here is a small demonstration
The second link executes windows calculator . The first link executes
verifier.exe , a W2000/XP program , causing a buffer overflow in it (
W2000 server is full of command line buffer overflows ), this means that
just visiting a webpage ( a malicious site or a post in a forum ) code can
be executed in your machine with user priviliges .
and use it to connect to an arbitrary local tcp port on your IP . If you
are connected to a LAN , you can connect with every socket in your LAN
interface.This means that with viewing some post in a forum , a script can
connect to a port on your PC and send and recieve data ( as classes like
InputDataStram can be used as well ). A new type of cross site scripting
focused in exploiting vulnerable services .
An example can be found here , connection to port 139 can be tracked with
netstat ( before closing the browser )
Opera 7.02 and Netscape 7.02
Both browsers donīt allow to make java calls to determinate methods . Well
, are allowed by they return a null . You can`t execute exec or delete ,
just methods like java.io.File.exists() or java.io.File.list() but you can
still execute sockets .
Fourtunately , I wasnīt able of retriving another IP different from
localhost when the script is executed in the server , but it works fine if
you email the webpage , establishing the connection with port 139 . Just
open the file attached and click the link . I donīt know if there is an
alternative method of retrieving a visitor's IP address from java or
David F.Madrid ,
Madrid , Spain
Delivery co-sponsored by Prometric - More than testing, learning.
Prometric, part of The Thomson Corporation, is the leader in
technology-enabled testing and assessment services for information
technology certification, academic admissions, professional licensure and
certifications, computer-based driver's licensing, and corporate testing.