TUCoPS :: Browsers :: a6100.htm

Java and Javascript script executions and DoS in Netscape and Opera
6th Apr 2003 [SBWID-6100]

	Java and Javascript script executions and DoS in Netscape and Opera


	 Opera 6.01
	 Opera 7.02 and Netscape 7.02


	In David F. Madrid [conde0@telefonica.net] advisory :
	Opera and Netscape browsers allow you to include java methods  calls  in
	your javascript. As Javascript has  support  for  objects  you  can  use
	objects returned by these calls in your scripts .
	I  have  been  looking  for  information  about  the  possibly  security
	implications ( and vulnerabilities published ) that this  could  have  ,
	but have found nothing . Doing some test by myself this is  but  I  have
	found .
	 Opera 6.01
	If you use Opera 6.01 you  can  make  calls  to  Java  exec  function  ,
	which=20 executes the command line passed to it .  This  means  you  can
	execute any program . Here is a small demonstration
	The second link executes windows calculator . The  first  link  executes
	verifier.exe , a W2000/XP program , causing a buffer overflow  in  it  (
	W2000 server is full of command line  buffer  overflows  ),  this  means
	that just visiting a webpage ( a malicious site or a post in a  forum  )
	code can be executed in your machine with user priviliges .
	Besides , playing with sockets from javascript you can obtain the  local
	Ip address with
	 var host=3Djava.net.InetAddress.getLocalHost();
	and use it to connect to an arbitrary local tcp port on  your  IP  .  If
	you=20 are connected to a LAN , you can connect  with  every  socket  in
	your LAN interface.This means that with viewing some post in a  forum  ,
	a script can connect to a port on your PC and send and  recieve  data  (
	as classes like InputDataStram can be used as well  ).  A  new  type  of
	cross site scripting focused in exploiting vulnerable services .
	An example can be found here , connection to port  139  can  be  tracked
	with netstat ( before closing the browser )
	 Opera 7.02 and Netscape 7.02
	Both browsers don=B4t allow to make java calls to determinate methods  .
	Well , are allowed by they return a null . You  can`t  execute  exec  or
	delete , just methods like java.io.File.exists() or  java.io.File.list()
	but you can still execute sockets .
	Fourtunately , I wasn't able of  retriving  another  IP  different  from
	localhost when the script is executed in the server , but it works  fine
	if you email the webpage , establishing the connection with port  139  .
	I don't  know  if  there  is  an  alternative  method  of  retrieving  a
	visitor's IP address from java or javascript but if there  is  this  can
	be exploitable via webpage .
	Email sockets.html to you  or  open  it  locally  and  you  will  see  a
	connection with netstat .
	Marc Schoenefeld [schonef@uni-muenster.de] adds :
	<scr1pt language=3D"Javascript">
	 new Packages.sun.plugin.javascript.navig5.JSObject(1,1);
	crashes Netscape 7.02 and Opera 7 on Windows XP. The active JVM in  both
	tested browsers is Java 1.4.1_02 from Sun.
	This liveconnect (javascript-2-java-communication)  stuff  seems  to  be
	still very dangerous.


	New releases available ?

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH