[Dailydave] We need to talk about Java

Alex McGeorge alexm at immunityinc.com
Tue Oct 1 10:49:37 EDT 2013 

Hello List,

We need to talk about Java. I know you have some strong feelings about
the relative merits of Java and its security posture but it's time to
face facts. By requiring the click-through to start an applet, Oracle
has changed the game a bit. Pen-testers, though we like to go to
conferences aimed a making us look somewhat villainous by association
and make poor hat related fashion choices, have some abilities that
attackers don't. Namely it's easier for us to register legitimate code
signing certificates.

In the past Java exploits made a ton of sense, you could run an applet
which would leverage an exploit without the user knowing. Now the user
knows the applet is running. So if the user already has to click-through
then why run an exploit when a signed applet can escape the sandbox? We
asked ourselves that same question, then bribed Esteban with some hockey
highlight videos and made him write up a new CANVAS module called
java_generic_mosdef. If you acquire a Java code signing certificate from
a trusted CA and sign the applet, you can get shells without having to
use an exploit.

See it in action here: http://vimeo.com/75795666

Click-through bypasses when combined with Java sandbox escapes will
always be valuable but the click-through code is pretty well understood
at this point. So publicly released bypasses are going to be rare until
Oracle starts adding more functionality to abuse. There will still be a
market for Java exploits for use by the checkbox checker crowd, "is the
target vulnerable to CVE-ABCD-WXYZ? Yes/No". But the question with Java
now isn't just if you're running a vulnerable version, it's if the user
will click-through to run the applet. And they will, which means
stealthy exploit free shells are yours for the taking.

-AlexM

P.S. If you're interested in talking about auditing languages come hit
up Esteban at http://immunityinc.com/infiltrate/ and don't forget to tie
hockey into it somehow
<http://immunityinc.com/infiltrate/>

-- 
Alex McGeorge
Immunity Inc.
1130 Washington Avenue 8th Floor
Miami Beach, Florida 33139
P: 786.220.0600

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20131001/1761d276/attachment.html>

More information about the Dailydave mailing list