Saturday, January 24, 2009

Applet Of Death FULL DISCLOSURE!

Applet Of Death FULL DISCLOSURE!

Proof of Concept How an Innocent Looking Applet can Harm/Take Control your PC.

This is demostration of how a java Applet can harm you PC . We have not see nobody exploiting Java Applets , yet . But a Rogue website hosting a rogue Signed Applet is as dangerous as an ActiveX . Which means Full Control of the System who ever visited that website and accept Security Warning. Security Warning Dialog made by Sun on a Signed Applet is very Weak , which dont say any thing about harming your PC. THIS APPLET I am going to demonstrate will do not do any harm but will Fire Up a Calc.exe , which is under window's System32 Folder. (Provided that user run the applet as Administrator) .

This applet can made to run any application under browsing user's privileges by simpling placing this line :

p = Runtime.getRuntime().exec(System.getenv("windir")+"\\system32" +"\\calc.exe");

with any exe u want to run :)

eg .

p = Runtime.getRuntime().exec(System.getenv("windir")+"\\system32" +"\\cmd.exe /c format c:");

will Format the visitor's drive c !!!

Steps a visitor need to become a victim are :
1. Go to the webpage hosting applet (applet can even made invisible) .
2. Accept the Certificate Warning dialogue box raised (it is not even security dialog , just a certificate warning)
3. Thats all , you are owned :).

Full Source Code is Released under BSD License.
Enjoy!

Video is done by Arkar WMH.
By v3ss (phyo.arkarlwin@star-nix.net)
StarNix Solutions.

Greetz to : Arkar WMH, Shyaam and Everyone at Evilfingers

More information (Video and the code) can be found HERE.

- EF

No comments: