Dailydave mailing list archives
We need to talk about Java
From: Alex McGeorge <alexm () immunityinc com>
Date: Tue, 01 Oct 2013 10:49:37 -0400
Hello List, We need to talk about Java. I know you have some strong feelings about the relative merits of Java and its security posture but it's time to face facts. By requiring the click-through to start an applet, Oracle has changed the game a bit. Pen-testers, though we like to go to conferences aimed a making us look somewhat villainous by association and make poor hat related fashion choices, have some abilities that attackers don't. Namely it's easier for us to register legitimate code signing certificates. In the past Java exploits made a ton of sense, you could run an applet which would leverage an exploit without the user knowing. Now the user knows the applet is running. So if the user already has to click-through then why run an exploit when a signed applet can escape the sandbox? We asked ourselves that same question, then bribed Esteban with some hockey highlight videos and made him write up a new CANVAS module called java_generic_mosdef. If you acquire a Java code signing certificate from a trusted CA and sign the applet, you can get shells without having to use an exploit. See it in action here: http://vimeo.com/75795666 Click-through bypasses when combined with Java sandbox escapes will always be valuable but the click-through code is pretty well understood at this point. So publicly released bypasses are going to be rare until Oracle starts adding more functionality to abuse. There will still be a market for Java exploits for use by the checkbox checker crowd, "is the target vulnerable to CVE-ABCD-WXYZ? Yes/No". But the question with Java now isn't just if you're running a vulnerable version, it's if the user will click-through to run the applet. And they will, which means stealthy exploit free shells are yours for the taking. -AlexM P.S. If you're interested in talking about auditing languages come hit up Esteban at http://immunityinc.com/infiltrate/ and don't forget to tie hockey into it somehow <http://immunityinc.com/infiltrate/> -- Alex McGeorge Immunity Inc. 1130 Washington Avenue 8th Floor Miami Beach, Florida 33139 P: 786.220.0600
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- We need to talk about Java Alex McGeorge (Oct 01)