That bypass was fixed in Java 7 update
13 so we had to keep looking at new ways of defeating the warning
pop-up that requires user interaction in order to run applets.
We continued auditing the code that
performed the checks when starting an applet and ended up arriving at the
method
“sun.plugin2.main.client.PluginMain.performSSVValidation(Plugin2Manager)”
This method will end up calling some
other methods in the com.sun.javaws.ui.SecureStaticVersioning
class that will show us that annoying security warning pop up.
But just take a quick look at the
performSSVValidation method
implementation:
What is that __applet_ssv_validated
parameter??
Obviously this is an internal
undocumented parameter and, as you can see, it turns out that if it
is set to true, no checks are performed.
The first thing we tried was to simply
set that parameter to true in our evil applet, but it didn't work.
While debugging we noticed that the
parameter was not set on the applet despite our setting it to true.
Basically
sun.plugin2.main.server.MozillaPlugin.addParameter(String, String)
is filtering the parameters:
But as you may
know, Java provides another way of launching applets in a browser
besides using the applet, object or embed tags.
Java Web Start technology is what we can use.
Now the applet
description is provided by using a JNLP file and parameters can be
set to the applet by using the <param> tag.
We can
see that when using Java Web Start, the performSSVValidation
method is also called
So
lets try to launch an applet with Java Web Start and set the
__applet_ssv_validated
parameter
to true with a JNLP file like this one:
And by know you
have already realized that this just works and parameters are not
filtered.
The Security
Warning pop-up message is not displayed and our applet happily runs!
Ironically on
Tuesday 16th April, exactly while I was at the Infiltrate MasterClass teaching how to audit and exploit Java, Oracle released update 21 which fixed this bypass and a ton of others.
The time investment for stealthily exploiting Java is increasing but finding bypasses like this makes it worth the time!
Esteban Guillardoy
No comments:
Post a Comment