Sunday, November 4th, 2007

Java Applets and DNS Rebinding

For those of you who were able to see Billy and I present at Hack In the Box Malaysia this year, you already know that Java Applets were vulnerable to DNS Rebinding attacks. For the benefit of those of you who didn’t get to see that presentation, here’s a link to it, but the simple of it is that we can XSS a victim, force a Java applet to be cached and then DNS Rebind that applet by reloading the JVM or loading a new JVM after we have modified the DNS entry for the name of the host the applet was served from. This is because, as many things on the Internet, applets are pinned to DNS name as opposed to IP address.

  
Why do we care? Well, unlike DNS pinning with Flash sockets, we can actually make request to ports less than 1024 and additionally, Java provides us with a huge set of libraries for doing everything from communicating with database servers to communicating with RMI servers.

  
Interestingly enough, a recent post by the NGS guys that was on seclists detailed how this was vulnerable in another way, which appeared to not have to rely on a new load of the JVM. Here’s a comment from that post:

  

By specifying a codebase URI prefixed by “verbatim:” it is possible to
load an applet from a remote location but have the browser plugin believe
it has been loaded from the local host. This allows an untrusted applet
to connect to and attempt to exploit network services running on the local
host. It should be noted that unlike binary sockets in Flash 9, an applet
can connect to any port, not just those greater than 1024.

  
At the time of reporting this issue, NGS provided Sun with a demonstration
applet that exploited MS06-040 (“Vulnerability in Server Service could
allow remote code execution”) on a vulnerable XP SP1 system.

  
Fortunately for all of us who have Java installed on our systems, this has now been patched by Sun, but I find it interesting that Java has its own URIs that it respects, like the verbatim: URI. Very interesting indeed.

Posted by xssniper | Filed in Security, Web Application Security

  • http://www.jumperz.net/ Kanatoko

    Interesting. And we can use UDP too, on Java.

  • David Byrne

    Sounds like a cool presentation, but Malaysia’s a bit far to travel :) Anyway, is this an updated (and implimented) varient of what Josh Soref hypothisized in 2003?

    http://viper.haque.net/~timeless/blog/11/

    It’s hard to get the complete picture from only the slides.

  • http://xs-sniper.com Nathan McFeters

    I’ve had a few too many drinks tonight to read that article completely, but I think this is something quite different. What we’ve effectively done is cached an applet for the JVM at natemcfeters.com. Then we simply load a new JVM (say with a different browser through firefoxurl:// or something similar) or kill the current JVM and hope that they will load a new one. Prior to this happening, we’ve obviously changed the IP address for natemcfeters.com.

    The NGS attack is even more interesting since it is a URI that actually convinces the JVM to load an applet without, apparently, the Same Origin Policy restrictions.

    The attack used in our presentation makes use of the xs-sniper tool, which is an advanced xss proxy (hopefully Billy will release it soon). Basically in the attack example it allows us to interact through javascript to the the applet code we’ve loaded on the victim’s machine, which has been DNS rebound. So, we can do anything Java can at that point.

    Malaysia was a long way away, but I definitely recommend the HITB conference to all researchers. It was a great time for Billy and I. Got to meet Phiber Optik, Emmanuel Goldstein, Window Snyder, etc. A lot of fun. Also, haggling with the locals for fake watches can be fun too.

  • http://marcoramilli.blogspot.com Marco Ramilli

    Great work guys.
    It’s really interesting, I will study more about it.
    Thanks.

  • Joe

    Hi guys, great work!

    Was the xs-sniper tool release yet? I could not find it anywhere. It would be great to have for POCs/Demos/Presentations for my company. (If you want, I’d sign an NDA)
    Thanks.

    Btw. the KL HITB talk was also really great and eye-opening, enjoyed it very much (saw the video)

  • Pingback: Zero Day mobile edition

  • Pingback: Zero Day mobile edition