|
COMMAND Java and Javascript script executions and DoS in Netscape and Opera SYSTEMS AFFECTED Opera 6.01 Opera 7.02 and Netscape 7.02 Mozilla PROBLEM In David F. Madrid [conde0@telefonica.net] advisory : Opera and Netscape browsers allow you to include java methods calls in your javascript. As Javascript has support for objects you can use objects returned by these calls in your scripts . I have been looking for information about the possibly security implications ( and vulnerabilities published ) that this could have , but have found nothing . Doing some test by myself this is but I have found . Opera 6.01 ========== If you use Opera 6.01 you can make calls to Java exec function , which=20 executes the command line passed to it . This means you can execute any program . Here is a small demonstration http://usuarios.lycos.es/idoru/petaopera.html The second link executes windows calculator . The first link executes verifier.exe , a W2000/XP program , causing a buffer overflow in it ( W2000 server is full of command line buffer overflows ), this means that just visiting a webpage ( a malicious site or a post in a forum ) code can be executed in your machine with user priviliges . Besides , playing with sockets from javascript you can obtain the local Ip address with var host=3Djava.net.InetAddress.getLocalHost(); and use it to connect to an arbitrary local tcp port on your IP . If you=20 are connected to a LAN , you can connect with every socket in your LAN interface.This means that with viewing some post in a forum , a script can connect to a port on your PC and send and recieve data ( as classes like InputDataStram can be used as well ). A new type of cross site scripting focused in exploiting vulnerable services . An example can be found here , connection to port 139 can be tracked with netstat ( before closing the browser ) http://usuarios.lycos.es/idoru/sockets.html Opera 7.02 and Netscape 7.02 ============================ Both browsers don=B4t allow to make java calls to determinate methods . Well , are allowed by they return a null . You can`t execute exec or delete , just methods like java.io.File.exists() or java.io.File.list() but you can still execute sockets . Fourtunately , I wasn't able of retriving another IP different from localhost when the script is executed in the server , but it works fine if you email the webpage , establishing the connection with port 139 . I don't know if there is an alternative method of retrieving a visitor's IP address from java or javascript but if there is this can be exploitable via webpage . Email sockets.html to you or open it locally and you will see a connection with netstat . -Also- Marc Schoenefeld [schonef@uni-muenster.de] adds : executing <scr1pt language=3D"Javascript"> t new Packages.sun.plugin.javascript.navig5.JSObject(1,1); </scr1pt> crashes Netscape 7.02 and Opera 7 on Windows XP. The active JVM in both tested browsers is Java 1.4.1_02 from Sun. This liveconnect (javascript-2-java-communication) stuff seems to be still very dangerous. SOLUTION New releases available ?