Hacking without 0days Drive-by Java

Thu, 25 Oct 2007 16:13:36 GMT
by pdp

From Wikipedia, the free encyclopedia, drive-by download is: "Download of spyware, a computer virus or any kind of malware that happens without knowledge of the user. Drive-by downloads may happen by visiting a website, viewing an e-mail message or by clicking on a deceptive popup window: the user clicks on the window in the mistaken belief that, for instance, it is an error report from his own PC or that it is an innocuous advertisement popup; in such cases, the "supplier" may claim that the user "consented" to the download though he was completely unaware of having initiated a malicious software download". "So what is this then?"

For those of you who have never seen a warning message like the one bellow, this is the default dialog box you get from the Java Runtime when you run cryptographically signed applets. Signed applets are different in comparison to the unsigned ones. Basically they defer in terms of their security sandbox and level of privilege. Signed applets can do anything your desktop applications can do, although they run from within the browser.

[![](/files/2007/10/warning-supermario-3d-nintendo.jpg "Warning Supermario 3D Nintendo PNG")](/files/2007/10/warning-supermario-3d-nintendo.jpg)

The one million dollar question is:

How is that secure? and Should Sun rethink the security of their platform?

We know that unaware users will approve anything just to get their game running or job done for that matter. This type of attack is by far the simplest to pull and does not rely on any particular kind of vulnerability. The Java Runtime is the only browser embeddable object which gives such a degree of access from simple Web pages. Flash, Adobe Reader, and even Signed JavaScript (disabled by default) wont allow you to do all of these, mainly because it is highly insecure!

I know that a lot of angry Java developers and many "military grade" (I certainly not sure what military grade is) exploit hunters may object but let's be honest here for a moment. Most of the hacks occur due to simple human mistakes. In the case of the Java Runtime, there is 50% chance to make the wrong choice. I think that malware authors and botnet operators like this figure a lot, especially when no vulnerability is required to perform the hack... not to mention that the information displayed inside the security warning box can be easily forged in such a way that the attackers can increase the their chances by making the user believe he or she is doing the right thing.

Over the years, I've been using this type of attack in a number of scenarios and I am not extremely happy to say this (although I had may fare share of fun) but it works so well that it almost feels surreal. The attach tar file contains a tool which I wrote long time ago to compile and sign Applets and JAR files in a few simple steps. I use it every time I can, just to prove that having Java enabled on workstation part of a large enterprise is kind of a bad idea.

Cannot simply say that Java is insecure and we should avoid it at all cost. In fact, I think Java is awesome platform but it is obvious that although some of its security aspects are spot on, others are seriously lacking any thought.

Archived Comments

pdphoenix3pdphoenix3
Very interesting will have to look into this some more. I mean I used to think Java was use less but pdp has been doing some sick sh.t with it lately good job man and keep the post coming im loving them. -pdphoenix3
radorado
I like your understanding of hacking - who needs to write exploits nowadays when there are so many simple and clever ways to do the job :) The answer of the $1M question - it is *very* secure from technical point of view since you can't harm the client's PC if he doesn't trust your applet. There is no technology which is protected from human mistakes ...
pdppdp
rado, very interesting but I have to disagree. It is not secure! Let's compare it with signed JavaScript which can do exactly the same as signed applets. The difference between both is that signed JavaScript is disabled by default (browser preferences) and there is no reason why you should have it enabled. Moreover, compare this with tricking the user into downloading an executable and running it from the desktop: this thing requires more then one step and it looks very suspicious. Not to mention that if you have an anti-virus it is very likely that it will lock the executable if it matches a known signature and your Firewall wont probably let it go out. The chances for something like this to work is like 10% maybe even less. Let's compare it with browser extensions. The victim needs to first of all approve the supplier. Then wait for 3 seconds and then approve it. The first step requires 3 additional sub-steps, such as right clicking on the pop-up bar, selecting Approve suppler (whatever it was) option and clicking on the Allow button. An attack, like the one described in the post, which does not require any exploit, can be easily made to look like a legitimate operation (forging the applet name and the certificate CN), and has 50% chance to succeed is far from a good news for the IT industry. Based on personal experience, I know that this thing works more then 50%. It works all the time in fact.
NurBoNurBo
pdp you always amaze me keep up the good post man. Im loving it
pdppdp
The problem with security researchers today is that we converted hacking into science. we care about highly ineffective kernel vulnerabilities and we forget that simplicity is the attackers' best friend all the time. You will spend 3 months developing your exploit and coming up with solutions, where the bad guys will spend no more then 10 minutes and hit more targets then anyone has expected.
radorado
pdp, I totally agree that it is very easy to trick the user to execute a signed applet. I just don't think that something is "insecure" if it is not foolproof :) Or may be I'm wrong ... Anyways, keep up the good work!
waldowaldo
Very interesting. Thanks for the information buddy is really valuable to keep security levels high.
hackathologyhackathology
pdp, i got to admit that this is one of the coolest trick that you pulled out of your bag. REspect mate.
moonmoon
thenk you
Richard MooreRichard Moore
You say that applets are the only embeddable object that can do this, what about activeX controls?
reznrezn
another big problems with signed applets (as currently implemented) is that the dialog which pops up is very similar looking (especially if you just glance quickly) for valid (as in, traceable to CA trusted by your browser) and invalid signatures. the world would be better if users were not given the choice of consuming things which the computer knows are wrong, at least not without going and explicitly tweaking some settings. since everyone has now been trained to virtually ignore errors about invalid SSL Server certs, people blindly click 'OK' on almost any warning presented to them by the browser. also, you may discount social engineering attacks as 'lame' or 'irrelevant'. lots of people do. this is precisely why they are so effective and popular among attackers.
G-BrainG-Brain
I don't like the title: "Hacking without 0days"? It doesn't even make sense if you think about it. I mean, as opposed to "Hacking _with_ 0days"? Releasing an exploit for software X the same day software X is released _is_ the hack. How do you hack _with_ a 0day? Run the pre-made Perl script? That isn't hacking. The first part of the title makes no sense. Overall: nice article.
pdppdp
Richard Moore, it is different when it comes to ActiveX controllers. rezn, absolutely! G-Brain, point taken! :)
TechnocratTechnocrat
Good stuff pdp. The weakest link in security is the human element. Clearly things could be changed to better protect non-informed users from themselves...but in the end, the only solution is education. By bringing issues like this into the light, you are helping educate people....nice work.
moganomogano
Don't know that you get an attack working. How for example you can get some binary stuff (shellcode) running?? Thats only a exec command! Other things are not possible like write binfile or ???
pdppdp
mogano, I am not sure what u are trying to say!
moganomogano
what can I do with signed Applets?? Also stuff like execute arbitary code (from outside)? (if so, how?)
LiquidBrainLiquidBrain
Actually you can execute any command on system... start service, download file... you can do anything...
moganomogano
how do I download a file for example??
jayjwajayjwa
Works for Linux too, as long as the app. exists (ln -s xcalc calc for this example). It does put up a warning box and ask for confirmation that is obvious enough for me, but I can see how some people would click away without checking. Oddly, Firefox (2.0.0.7) also pops up an authenticaion box (bug?).
moganomogano
Still only one question from me: How do I download a File using a signed applet? greetz, mogano
pdppdp
:) what are u building man?
sidsid
Some of us at Indiana University tried out this type of re-signing and modifying applets in a realistic scenario last year... you're right, it works very well. People don't care about whether or not they should trust an executable; if they expect it, they will click yes no matter what. Check out our results: http://www.indiana.edu/~phishing/verybigad/
diesl0wdiesl0w
Sounds like someones trying to compile a download/execute payload :)
moganomogano
we call it: DA BOMB! ;)
pdppdp
diesl0w, indeed! mogano, DA BOMB? should we watch out for it?
moganomogano
I've already done s.th. but not on Applets. Therefore I asked because I don't think that they has increased the level of system rights. Does someone know that writing (binary) files in (signed )Applets work???
kbnetkbnet
This guy has a very interesting blog, he has a video which shows an applet patching a binary. Very nice!
kbnetkbnet
Sorry, didn't post the URL: http://www.aboulton.blogspot.com
goblertgoblert
It is possible to make the applet download and run a executable. I have seen it with my own eyes. Its a very effective way to infect someone.