Using Java from Javascript

From: idoru@VIDEOSOFT.NET.UY
Date: 04/02/03

  • Next message: [SANG] Peter A. Sang: "IIS 5: strange problems handling certain file names"
    Date:         Tue, 1 Apr 2003 22:46:26 -0300
    From: idoru@VIDEOSOFT.NET.UY
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Opera and Netscape browsers allow you to include java methods calls in
    your javascript . As Javascript has support for objects you can use
    objects returned by these calls in your scripts .
    I have been looking for information about the possibly security
    implications ( and vulnerabilities published ) that this could have , but
    have found nothing . Doing some test by myself this is but I have found .
    Opera 6.01

    If you use Opera 6.01 you can make calls to Java exec function , which
    executes the command line passed to it . This means you can execute any
    program . Here is a small demonstration
    http://usuarios.lycos.es/idoru/petaopera.html

    The second link executes windows calculator . The first link executes
    verifier.exe , a W2000/XP program , causing a buffer overflow in it (
    W2000 server is full of command line buffer overflows ), this means that
    just visiting a webpage ( a malicious site or a post in a forum ) code can
    be executed in your machine with user priviliges .
    Besides , playing with sockets from javascript you can obtain the local Ip
    address with
    var host=java.net.InetAddress.getLocalHost();

    and use it to connect to an arbitrary local tcp port on your IP . If you
    are connected to a LAN , you can connect with every socket in your LAN
    interface.This means that with viewing some post in a forum , a script can
    connect to a port on your PC and send and recieve data ( as classes like
    InputDataStram can be used as well ). A new type of cross site scripting
    focused in exploiting vulnerable services .
    An example can be found here , connection to port 139 can be tracked with
    netstat ( before closing the browser )
    http://usuarios.lycos.es/idoru/sockets.html

    Opera 7.02 and Netscape 7.02

    Both browsers donīt allow to make java calls to determinate methods . Well
    , are allowed by they return a null . You can`t execute exec or delete ,
    just methods like java.io.File.exists() or java.io.File.list() but you can
    still execute sockets .
    Fourtunately , I wasnīt able of retriving another IP different from
    localhost when the script is executed in the server , but it works fine if
    you email the webpage , establishing the connection with port 139 . Just
    open the file attached and click the link . I donīt know if there is an
    alternative method of retrieving a visitor's IP address from java or
    javascript but if there is this can be exploitable via webpage .

    Regards ,

    David F.Madrid ,
    Madrid , Spain

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by Prometric - More than testing, learning.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    http://www.prometric.com

    Prometric, part of The Thomson Corporation, is the leader in
    technology-enabled testing and assessment services for information
    technology certification, academic admissions, professional licensure and
    certifications, computer-based driver's licensing, and corporate testing.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: [SANG] Peter A. Sang: "IIS 5: strange problems handling certain file names"