Comments on: Java Applets and DNS Rebinding http://xs-sniper.com/blog/2007/11/04/java-applets-and-dns-rebinding/ Thoughts on Security in an Uncivilized World… Fri, 13 Nov 2009 09:32:59 -0700 http://wordpress.org/?v=2.9.1 hourly 1 By: Zero Day mobile edition http://xs-sniper.com/blog/2007/11/04/java-applets-and-dns-rebinding/comment-page-1/#comment-308 Zero Day mobile edition Tue, 25 Mar 2008 03:52:10 +0000 http://xs-sniper.com/blog/2007/11/04/java-applets-and-dns-rebinding/#comment-308 [...] this attack, but if you want to see more on it view my previous post in this series, as well as an article I posted on Billy’s XS-Sniper blog.  What’s important to recognize is what they attack accomplished.  [...] [...] this attack, but if you want to see more on it view my previous post in this series, as well as an article I posted on Billy’s XS-Sniper blog.  What’s important to recognize is what they attack accomplished.  [...]

]]> By: Zero Day mobile edition http://xs-sniper.com/blog/2007/11/04/java-applets-and-dns-rebinding/comment-page-1/#comment-294 Zero Day mobile edition Fri, 14 Mar 2008 14:27:30 +0000 http://xs-sniper.com/blog/2007/11/04/java-applets-and-dns-rebinding/#comment-294 [...] at Hack in the Box Malaysia in 2007 on how this pinning could be broken.  There’s a nice excerpt on Billy’s XS-Sniper blog, which I used to post on, that covers the subject in depth.  The basics of it were as [...] [...] at Hack in the Box Malaysia in 2007 on how this pinning could be broken.  There’s a nice excerpt on Billy’s XS-Sniper blog, which I used to post on, that covers the subject in depth.  The basics of it were as [...]

]]> By: Joe http://xs-sniper.com/blog/2007/11/04/java-applets-and-dns-rebinding/comment-page-1/#comment-273 Joe Thu, 07 Feb 2008 23:44:06 +0000 http://xs-sniper.com/blog/2007/11/04/java-applets-and-dns-rebinding/#comment-273 Hi guys, great work! Was the xs-sniper tool release yet? I could not find it anywhere. It would be great to have for POCs/Demos/Presentations for my company. (If you want, I'd sign an NDA) Thanks. Btw. the KL HITB talk was also really great and eye-opening, enjoyed it very much (saw the video) Hi guys, great work!

Was the xs-sniper tool release yet? I could not find it anywhere. It would be great to have for POCs/Demos/Presentations for my company. (If you want, I’d sign an NDA)
Thanks.

Btw. the KL HITB talk was also really great and eye-opening, enjoyed it very much (saw the video)

]]> By: Marco Ramilli http://xs-sniper.com/blog/2007/11/04/java-applets-and-dns-rebinding/comment-page-1/#comment-219 Marco Ramilli Thu, 08 Nov 2007 20:36:21 +0000 http://xs-sniper.com/blog/2007/11/04/java-applets-and-dns-rebinding/#comment-219 Great work guys. It's really interesting, I will study more about it. Thanks. Great work guys.
It’s really interesting, I will study more about it.
Thanks.

]]> By: Nathan McFeters http://xs-sniper.com/blog/2007/11/04/java-applets-and-dns-rebinding/comment-page-1/#comment-218 Nathan McFeters Wed, 07 Nov 2007 06:49:16 +0000 http://xs-sniper.com/blog/2007/11/04/java-applets-and-dns-rebinding/#comment-218 I've had a few too many drinks tonight to read that article completely, but I think this is something quite different. What we've effectively done is cached an applet for the JVM at natemcfeters.com. Then we simply load a new JVM (say with a different browser through firefoxurl:// or something similar) or kill the current JVM and hope that they will load a new one. Prior to this happening, we've obviously changed the IP address for natemcfeters.com. The NGS attack is even more interesting since it is a URI that actually convinces the JVM to load an applet without, apparently, the Same Origin Policy restrictions. The attack used in our presentation makes use of the xs-sniper tool, which is an advanced xss proxy (hopefully Billy will release it soon). Basically in the attack example it allows us to interact through javascript to the the applet code we've loaded on the victim's machine, which has been DNS rebound. So, we can do anything Java can at that point. Malaysia was a long way away, but I definitely recommend the HITB conference to all researchers. It was a great time for Billy and I. Got to meet Phiber Optik, Emmanuel Goldstein, Window Snyder, etc. A lot of fun. Also, haggling with the locals for fake watches can be fun too. I’ve had a few too many drinks tonight to read that article completely, but I think this is something quite different. What we’ve effectively done is cached an applet for the JVM at natemcfeters.com. Then we simply load a new JVM (say with a different browser through firefoxurl:// or something similar) or kill the current JVM and hope that they will load a new one. Prior to this happening, we’ve obviously changed the IP address for natemcfeters.com.

The NGS attack is even more interesting since it is a URI that actually convinces the JVM to load an applet without, apparently, the Same Origin Policy restrictions.

The attack used in our presentation makes use of the xs-sniper tool, which is an advanced xss proxy (hopefully Billy will release it soon). Basically in the attack example it allows us to interact through javascript to the the applet code we’ve loaded on the victim’s machine, which has been DNS rebound. So, we can do anything Java can at that point.

Malaysia was a long way away, but I definitely recommend the HITB conference to all researchers. It was a great time for Billy and I. Got to meet Phiber Optik, Emmanuel Goldstein, Window Snyder, etc. A lot of fun. Also, haggling with the locals for fake watches can be fun too.

]]> By: David Byrne http://xs-sniper.com/blog/2007/11/04/java-applets-and-dns-rebinding/comment-page-1/#comment-217 David Byrne Tue, 06 Nov 2007 19:50:25 +0000 http://xs-sniper.com/blog/2007/11/04/java-applets-and-dns-rebinding/#comment-217 Sounds like a cool presentation, but Malaysia's a bit far to travel :) Anyway, is this an updated (and implimented) varient of what Josh Soref hypothisized in 2003? http://viper.haque.net/~timeless/blog/11/ It's hard to get the complete picture from only the slides. Sounds like a cool presentation, but Malaysia’s a bit far to travel :) Anyway, is this an updated (and implimented) varient of what Josh Soref hypothisized in 2003?

http://viper.haque.net/~timeless/blog/11/

It’s hard to get the complete picture from only the slides.

]]> By: Kanatoko http://xs-sniper.com/blog/2007/11/04/java-applets-and-dns-rebinding/comment-page-1/#comment-215 Kanatoko Mon, 05 Nov 2007 19:14:06 +0000 http://xs-sniper.com/blog/2007/11/04/java-applets-and-dns-rebinding/#comment-215 Interesting. And we can use UDP too, on Java. Interesting. And we can use UDP too, on Java.

]]>