[29625] in bugtraq
Using Java from Javascript
daemon@ATHENA.MIT.EDU (David F. Madrid)
Thu Apr 3 17:36:48 2003
Message-Id: <5.2.0.9.0.20030403000114.00d8b190@pop3.telefonica.net>
Date: Thu, 03 Apr 2003 00:02:06 +0200
To: bugtraq@securityfocus.com
From: "David F. Madrid" <conde0@telefonica.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: 8bit
Opera and Netscape browsers allow you to include java methods calls in your
javascript .
As Javascript has support for objects you can use objects returned by
these calls in your scripts .
I have been looking for information about the possibly security
implications ( and vulnerabilities
published ) that this could have , but have found nothing . Doing some test
by myself this is what
I have found .
Opera 6.01
If you use Opera 6.01 you can make calls to Java exec function , which
executes the command
line passed to it . This means you can execute any program . Here is a
small demonstration
http://usuarios.lycos.es/idoru/petaopera.html
The second link executes windows calculator . The first link executes
verifier.exe , a W2000/XP
program , causing a buffer overflow in it ( W2000 server is full of command
line buffer overflows ),
this means that just visiting a webpage ( a malicious site or a post in a
forum ) code can be
executed in your machine with user priviliges .
Besides , playing with sockets from javascript you can obtain the local Ip
address with
var host=java.net.InetAddress.getLocalHost();
and use it to connect to an arbitrary local tcp port on your IP . If you
are connected to a LAN ,
you can connect with every socket in your LAN interface.This means that
with viewing some
post in a forum , a script can connect to a port on your PC and send and
recieve data ( as
classes like InputDataStram can be used as well ). A new type of cross site
scripting focused
in exploiting vulnerable services .
An example can be found here , connection to port 139 can be tracked with
netstat ( before
closing the browser )
http://usuarios.lycos.es/idoru/sockets.html
Opera 7.02 and Netscape 7.02
Both browsers donīt allow to make java calls to determinate methods . Well
, are allowed
by they return a null . You can`t execute exec or delete , just methods
like java.io.File.exists()
or java.io.File.list() but you can still execute sockets .
Fourtunately , I wasnīt able of retriving another IP different from
localhost when the script is
executed in the server , but it works fine if you email the webpage ,
establishing the connection
with port 139 . I donīt know if there is an alternative method of
retrieving a visitor's IP address from
java or javascript but if there is this can be exploitable via cross site
scripting .
Email sockets.html to you or open it locally and you will see a connection
with netstat .
Regards ,
David F.Madrid ,
Madrid , Spain
