Using Java from Javascript

• Previous message: Russ: "Re: The Security Flag in the IPv4 Header"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 1 Apr 2003 22:46:26 -0300
From: idoru@VIDEOSOFT.NET.UY
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Opera and Netscape browsers allow you to include java methods calls in
your javascript . As Javascript has support for objects you can use
objects returned by these calls in your scripts .
I have been looking for information about the possibly security
implications ( and vulnerabilities published ) that this could have , but
have found nothing . Doing some test by myself this is but I have found .
Opera 6.01

If you use Opera 6.01 you can make calls to Java exec function , which
executes the command line passed to it . This means you can execute any
program . Here is a small demonstration
http://usuarios.lycos.es/idoru/petaopera.html

The second link executes windows calculator . The first link executes
verifier.exe , a W2000/XP program , causing a buffer overflow in it (
W2000 server is full of command line buffer overflows ), this means that
just visiting a webpage ( a malicious site or a post in a forum ) code can
be executed in your machine with user priviliges .
Besides , playing with sockets from javascript you can obtain the local Ip
address with
var host=java.net.InetAddress.getLocalHost();

and use it to connect to an arbitrary local tcp port on your IP . If you
are connected to a LAN , you can connect with every socket in your LAN
interface.This means that with viewing some post in a forum , a script can
connect to a port on your PC and send and recieve data ( as classes like
InputDataStram can be used as well ). A new type of cross site scripting
focused in exploiting vulnerable services .
An example can be found here , connection to port 139 can be tracked with
netstat ( before closing the browser )
http://usuarios.lycos.es/idoru/sockets.html

Opera 7.02 and Netscape 7.02

Both browsers donīt allow to make java calls to determinate methods . Well
, are allowed by they return a null . You can`t execute exec or delete ,
just methods like java.io.File.exists() or java.io.File.list() but you can
still execute sockets .
Fourtunately , I wasnīt able of retriving another IP different from
localhost when the script is executed in the server , but it works fine if
you email the webpage , establishing the connection with port 139 . Just
open the file attached and click the link . I donīt know if there is an
alternative method of retrieving a visitor's IP address from java or
javascript but if there is this can be exploitable via webpage .

Regards ,

David F.Madrid ,
Madrid , Spain

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Prometric - More than testing, learning.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
http://www.prometric.com

Prometric, part of The Thomson Corporation, is the leader in
technology-enabled testing and assessment services for information
technology certification, academic admissions, professional licensure and
certifications, computer-based driver's licensing, and corporate testing.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Previous message: Russ: "Re: The Security Flag in the IPv4 Header"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]