Writeup on Java Decompiling Issues
Luny wrote me a really good email the other day, that I think deserves posting here as it really shows a lot of the issues with Java applications and how they aren’t as secure as I think a lot of people think they are. Luny does a good job showing some of the decompiling necessary to figure out what there holes are:
Hey Rsnake its Luny. I’m writing you this email in regards to trying to learn a little more about website anaylsis and security in general. I thought about trying this on a website called anywebcam.com. The site uses java applets to communicate with the cams and users. Theres more info below on what i’ve found.
My dissection of anywebcam.com and their broadcaster.exe software.
Tools used:
Wireshark
PEiD
W32DASMFirst used http://www.youfucktard.com/tool-awcsignup.php to create a quick and easy dummy account.
The opened URL to awc’s main java applet in a new browser and viewed source.
http://www.anywebcam.com/awc/servlet/dispatch?CMD=cmd.applet
applet info on page source:
[script type=”text/javascript” language=”javascript”]var height = ‘100%’;
var width = ‘100%’;
var browser = ”;
var bc = ‘4000′;
var bcb = ‘Y’;
var u = ‘Perv36166′;
var debug = ‘0′;
var i = ‘3660667′;
var sp = ‘N’;
var op = ”;
var y = ‘1′;
var x = ‘0′;
var d = ‘1′;
var s = ‘ayLEAfEQqQZa’;
var cam = ”;
var t = ‘N’;
var f = ‘N’;
var m = ‘N’;
var ap = ‘N’;
var type = ‘application/x-java-applet’;
var l = ‘EN’;
var cp = ‘8080′;
var fi = ”;
var si = ‘10000′;
var sites = ‘ANYwebcam.com 10000,Popular.com.br 10001,ANYwebcam.de 10002,Italian 10003,Dutch 10004,Français 10005,German 10006,Português 10007,Spanish 10008,Chinese 10009,Japanese 10010,Greek 10011,Danish 10012,Norweigan 10013,Swedish 10014,’; var version = ‘awc40040′; [/script][script language=”javascript” type=”text/javascript” src=”/awc/html/common/include/prototype/prototype-1.3.1.js”][/script][script language=”javascript” type=”text/javascript” src=”/awc/html/common/include/applet.js”][/script]((the var sites is set so that if a user tried to run the applet from any other domain then those listed, the applet would come back with a auth error. I’ve decompiled the jar archive before using Decafe and then went over the class files. ))
Using Wireshark to monitor packets from the url http://www.anywebcam.com/awc/servlet/dispatch?CMD=cmd.applet we find several packets of interest:
GET /awc/html/common/include/prototype/prototype-1.3.1.js HTTP/1.0..Accept: */*..Referer: http://www.anywebcam.com/awc/servlet/dispatch?CMD=cmd.applet..Accept-Language: en-us..If-Modified-Since: Thu, 17 Nov 2005 23:57:32 GMT..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)..Host: www.anywebcam.com..Connection: Keep-Alive..Cookie: style=null; user=Perv63556; password=Perv63556; save=true; domainid=10000; JSESSIONID=ayLEAfEQqQZaSC0ox_; __utma=185107961.63224804.1166436330.1166441978.1166473462.8; __utmb=185107961; __utmz=185107961.1166436330.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmc=185107961…. =
TTP/1.1 304 Not Modified..Server: Zeus/4.2..Date: Mon, 18 Dec 2006 20:25:22 GMT..Accept-Ranges: bytes..Connection: Keep-Alive..
PASS f7LA5r5etl3xoA..NICK Perv36166..USER 3660667^01 8 * :ayLEAfEQqQZa..
GET /res/camstest.gz?0.7875709682863306 HTTP/1.1..Cache-Control: no-cache..Pragma: no-cache..User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.5.0_06..Host: www.anywebcam.com..Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2..Connection: keep-alive..Content-type: application/x-www-form-urlencoded..Cookie: style=null; user=Perv63556; password=Perv63556; save=true; domainid=10000; JSESSIONID=ayLEAfEQqQZaSC0ox_; __utma=185107961.63224804.1166436330.1166441978.1166473462.8; __utmb=185107961; __utmz=185107961.1166436330.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmc=185
GET /res/imlive.gz?0.6335720412131307 HTTP/1.1..Cache-Control: no-cache..Pragma: no-cache..User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.5.0_06..Host: www.anywebcam.com..Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2..Connection: keep-alive..Content-type: application/x-www-form-urlencoded..Cookie: style=null; user=Perv63556; password=Perv63556; save=true; domainid=10000; JSESSIONID=ayLEAfEQqQZaSC0ox_; __utma=185107961.63224804.1166436330.1166441978.1166473462.8; __utmb=185107961; __utmz=185107961.1166436330.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmc=185107961..
NOTICE AUTH :*** Checking Ident.
(Ahh, we see it logging on a irc server)HTTP/1.1 200 OK..Server: Zeus/4.2..Date: Mon, 18 Dec 2006 20:25:26 GMT..Content-Length: 9172..Accept-Ranges: bytes..Content-Type: application/octet-stream..Last-Modified: Mon, 18 Dec 2006 20:25:01 GMT………..E..channels10000.dat..|Iw.8..]~……Wa.%;….h.%[…p.-…!..I…2…..^.6w.gzQ…M.j….A..3″3.A.. p……….’…t.{/2Lt …….7..C.&..Q.H../…….ol.Q…’..l……….d*:…0.L…xW…i..K.[.i….h……S……”……Q.e*…d$xK.:.M…x’…L*…ON….MV.&^n..9..#…….[…\~]^….f.B……..^..](..)……f.Z..{..;.Q..’l………f=6}.v.6.LF….=v.0.N.s….C..i[a..a..y..0g7..3g-.~0..d;.g…..f….io2.b.gN.?..ME(\%….*..~.n/……|#….6.P.7|&…..h#.D”L…..[.-[$..vZ{L.L.@.c..}……..Y^_1…..ia……………….]K:.=i..Nt.d…A.%9E]…Sm.E…..V2.t… .Al..-..F.wB….H..+….D.(.m..q..m……NA7}…S.H…..W…$C{4…..zRz:T..|…….4[..-……….6.E.U..t….”……*._..#|l.F..-….Q.V..Y.k);..7..W…….h1..k2kO..y..”F.;:…..E].N.4.n.E…….;…..5.uZ…bh{2b….l]……../b.{……d.H.s../..[N..W..’..G.=(A…=j|..g..@6….LL.L………e…Dl…”E….b……..SU…..H_x….\-E.).u&……..1[m]u..P……hA;0b$.i.9.k….K… .Lo……g..l…”X.I\S.A..|….7..u0.e.F..\..J…r.z…[|]…U9(}…$..L…:.FB#..T…..Ce!j……….|…^..U..z..f.^I..Ia2…..[………C…B’e..o4.`%.]” …g.\…\………@…v.j..q…4..f.(t\…0j\..V..Pz.U…W0.VY..O..`.Y@…S..;.B.Y…,..G*2.+.d..m.J..^…[.Q]……*.q,f………r….1ojG..i.7……..L…q..k.[(.’]lu.*..i..zs.]pM..Ej.BH\2D….x…a..[..B.da.^..Yv|…C….4}…..]..p.z.S.`..hMv..]…S…….*.2.4A%.V..(on..A.j…x7..RW……..[].q.v……….8…g….L….|….R8d.7..h7.-…;{U.Wn……F.g=..6.v.h..1…..~….hiw..|….G.q.bv3….l..L.=_..L.-…E”…”….}\YU.[…Vh…..?J/…P.Ho……Z.9….k…F..W.7…..=….|…..’.z….O..av….UN.’..D…E.*(Y[…ea…M……..G]………..O.]..a../…………..Yn[..P…]…..]…..*.]a…….^….4…..W…../….$I…….#}.L7Tr..}.*7…:….e……D.7:.=…Z!^..V..p..a…P…..,.m.v.o…-k-t.1RO……9…..w;…6.8]H…#.|^G..’T..H….2….5..M.e)..J…..`C{….ANK..-X.%.`t..].Cy.o.H…og..2.d…….*?..2…X.].@…%…~…8…o……h^..K.”y..JN..B..t…..B.n..Z#bv….}.i..x.U..F_6……….s&…N….+;g…c.9.^g~.0[gw=.x..k9N……O…..{@…{l…’.y.o…M..I……..?…..^.r.u..`….mh….9…p..H…..^yn.Y…….@.J..*..i.Z..Yg…………R….r…Z~……n4.[………_..t…/_.E…U……..!=……_…….a4-…B….v….”..g./^T……%’..”.I[..V….YP.+B….}…p1…4..0%………….`Z..]..(….0……R .5..ZK].G..Z…..#….V.4…*TR.o1,..`….x.ao.$..[O..( ……..J;..K8.p….i^……B.Z.|”.2..\.w..%nK9-uF1…u2-].{………..FPjZWy.o.%…8^JBr…H.Z….{.Z#_….|.x….x.[.d4.d.0….e7.=…..O.]…V….e……[g…F……d.q#410…..*…A…4….!….:…..l….}…….RU.. .N.|.m..&..’v…\………%W.j……………..,
NOTICE AUTH :*** No Ident response..
hmmm..connecting to IRC?
HTTP/1.1 304 Not Modified..Date: Mon, 18 Dec 2006 20:23:35 GMT..Server: Apache/1.3.37 (Unix) PHP/4.4.4..Connection: Keep-Alive, Keep-Alive..Keep-Alive: timeout=15, max=99..ETag: “1a435b-162-445cc076″….
(Here we see the connect was successful & MOTD. They appear to be using ircd-hybrid 7.0 too)
:chat1.anywebcam.com 001 Perv36166 :Welcome to the ANYWebcam Internet Relay Chat Network Perv36166..:chat1.anywebcam.com 002 Perv36166 :Your host is chat1.anywebcam.com[208.50.46.60/8080], running version hybrid-7.0..:chat1.anywebcam.com 003 Perv36166 :This server was created Fri Apr 15 2005 at 02:07:48 EDT..:chat1.anywebcam.com 004 Perv36166 chat1.anywebcam.com hybrid-7.0 oiwszcerkfydnxbaugl biklmnopstveIha bkloveIh..:chat1.anywebcam.com 005 Perv36166 WALLCHOPS KNOCK EXCEPTS INVEX MODES=4 MAXCHANNELS=50 MAXBANS=100 MAXTARGETS=999 NICKLEN=48 TOPICLEN=120 KICKLEN=120 :are supported by this server..:chat1.anywebcam.com 005 Perv36166 CHANTYPES=#& PREFIX=(ohv)@%+ CHANMODES=eIb,k,l,imnpsta NETWORK=ANYWebcam CASEMAPPING=rfc1459 CALLERID :are supported by this server..:chat1.anywebcam.com 251 Perv36166 :There are 4259 users and 11 invisible on 2 servers..:chat1.anywebcam.com 252 Perv36166 10 :IRC Operators online..:chat1.anywebcam.com 254 Perv36166 87 :channels formed..:chat1.anywebcam.com 255 Perv36166 :I have 4262 clients and 1 servers..:chat1.anywebcam.com 265 Perv36166 :Current local users: 4262 Max: 5353..:chat1.anywebcam.com 266 Perv36166 :Current global users: 4270 Max: 5361..:chat1.anywebcam.com 250 Perv36166 :Highest connection count: 5354 (5353 clients) (781361 connections received)..:chat1.anywebcam.com 375 Perv36166 :- chat1.anywebcam.com Message of the Day - ..:chat1.anywebcam.com 372 Perv36166 :- H300 L3000 P1..:chat1.anywebcam.com 376 Perv36166 :End of /MOTD command…:NickServ!NickServ@Services.Anywebcam.com NOTICE Perv36166 :This nickname is owned by someone else..:NickServ!NickServ@Services.Anywebcam.com NOTICE Perv36166 :If this is your nickname, type /msg NickServ .IDENTIFY. [password]..
PRIVMSG NickServ :REGISTER awc..
GET /awc/servlet/user?u=3660667&a=Perv12464%2CPerv27347%2CPerv36166%2CPerv61441%2CPerv75467%2CPerv9735%2C&p=America%2FChicago_ HTTP/1.1..User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.5.0_06..Host: www.anywebcam.com..Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2..Connection: keep-alive..Content-type: application/x-www-form-urlencoded..Cookie: style=null; user=Perv63556; password=Perv63556; save=true; domainid=10000; JSESSIONID=ayLEAfEQqQZaSC0ox_; __utma=185107961.63224804.1166436330.1166441978.1166473462.8; __utmb=185107961; __utmz=185107961.1166436330.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmc=185107961….
(List of connected users in the channel)
:chat1.anywebcam.com 640 Perv36166 Bethy clogz LadyJoJo satman BLOC Ravyn hoxton doggy34 AussieG synapse neaty kumkee jess Shy sassylady ..:chat1.anywebcam.com 640 Perv36166 Navman dakota1 falcon111 Gillian Ginger_n_TheSkipper isee mustangmike99 Shy sicklizzard Mykey tahoejeff supersk8t roland2 TurkishBen MMS ..:chat1.anywebcam.com 640 Perv36166 SecurityServ Anywebcam2 TriviaBot _Stuart Stuart rolandd synapse_ Jess_ Mailman157 CheesyPoof TurkishBen stuangel AnyWebCam roland ..:NickServ!NickServ@Services.Anywebcam.com NOTICE Perv36166 :Password accepted - you are now recognized..
MemoServ!MemoServ@Services.Anywebcam.com NOTICE Perv36166 :You have no new memos..
Scrolling up some we see that the irc server password is f7LA5r5etl3xoA and my nick is Perv36166
PASS f7LA5r5etl3xoA..NICK Perv36166..USER 3660667^01 8 * :ayLEAfEQqQZa..
So now, lets try and connect to the irc server (I’ll be using mirc).
/server chat.anywebcam.com:6667 f7LA5r5etl3xoA
And we recieve the normal MOTD that was seen in the packets but now with:
You are banned from this server- Temporary K-line 60 min. - INVALID CLIENT (2006/12/18 16.53)
-
[15:54] Closing Link: 70.156.101.76 (Temporary K-line 60 min. - INVALID CLIENT (2006/12/18 16.53))
-
[15:54] * [10053] Software caused connection abort
-
[15:54] * Disconnectedhaha oops. Well we can try and get past that invalid client error later.
Noteable url’s found so far (not in any particular order):
http://www.camup.net - it seems anywebcam owns this domain as well and is trying to offer out this service.
http://www.anywebcam.com/res/channels10000.dat - This is a data file that shows all of the irc channels created on the server.
http://www.anywebcam.com//awc/html/common/include/applet.js - url to their java applet. (They have a seperiate viewer on the site located at http://my.anywebcam.com/viewer.jar which lets people put a webcma viewer on their website to view 1 cam.)
http://www.anywebcam.com/res/imlive.gz?0.6335720412131307 - This is a compressed file with all the imlive girls and urls to them in it. Example:
DarlingDevill,4,http://imlive.com/_/247258/247258O1149644703.jpg,http://imlive.com/wmaster.asp?h=3052400010&WID=123658371255
Xallva,4,http://imlive.com/_/224641/224641O1162308865.jpg,http://imlive.com/wmaster.asp?h=2773193145&WID=123658371255
sweetynicky,4,http://linux4.globalmailer.com/vm/inbox/12i155431/inbox@155431O1121257928.jpg,http://imlive.com/wmaster.asp?h=1918795695&WID=123658371255
MISSKITTEN4u,4,http://imlive.com/_/287925/287925O1164834093.jpg,http://imlive.com/wmaster.asp?h=3554434125&WID=123658371255
xCollegegirl,4,http://imlive.com/_/167251/167251O1166427932.jpg,http://imlive.com/wmaster.asp?h=2064713595&WID=123658371255I think i’ll move onto the broadcaster.exe. Theres 3 exefiles with that package wh9ch are broadcaster.exe PV.exe and Bac.exe All the files were packed with asp 2.11 so using PEiD I unpacked it then dissassembled in W32DASM. I don’t know much assembly language so The ref to text strings weren’t very useful. I did see that they are using a SSL connection tho. Heres a little info on that:
“SSL_CIPHER_get_bits”
“SSL_CIPHER_get_name”
“SSL_CIPHER_get_version”
“SSL_connect”
“SSL_CTX_check_private_key”
“SSL_CTX_free”
“SSL_CTX_get_verify_depth”
“SSL_CTX_get_version_indy”
“SSL_CTX_load_verify_locations”
“SSL_CTX_new”
“SSL_CTX_set_cipher_list”
“SSL_CTX_set_client_CA_list”
“SSL_CTX_set_default_passwd_cb”
“SSL_CTX_set_default_passwd_cb_userdata”
“SSL_CTX_set_default_verify_paths”
“SSL_CTX_set_info_callback_indy”
“SSL_CTX_set_options_indy”
“SSL_CTX_set_session_id_context”
“SSL_CTX_set_verify”
“SSL_CTX_set_verify_depth”
“SSL_CTX_use_certificate_file”
“SSL_CTX_use_PrivateKey_file”
“SSL_free”
“SSL_get_current_cipher”
“SSL_get_error”
“SSL_get_ex_data”
“SSL_get_peer_certificate”
“SSL_get_session”
“SSL_library_init”
“SSL_load_client_CA_file”
“SSL_load_error_strings”
“SSL_new”
“SSL_load_error_strings”
“SSL_new”
“SSL_peek”
“SSL_read”
“SSL_SESSION_get_id_ctx_indy”
“SSL_SESSION_get_id_indy”
“SSL_set_accept_state”
“SSL_set_connect_state”
“SSL_set_ex_data”
“SSL_set_fd”
“SSL_set_shutdown”
“SSL_shutdown”
“SSL_state_string_long”
“SSL_write”Perhaps if a breakpoint was set on or before “SSL_CTX_check_private_key” and “SSL_CTX_load_verify_locations” maybe somehting would be found. I havent had time to bother with this tho and currently I have no working webcam *laughs*.
Anyways. Is there anything you think I may have missed or overlooked? Anymore info to be found perhaps? I welcome your suggestions and comments. (Not looking for direct answers, but yet to be set on the right path)Rsnake.
- Luny
What can I add to that? Very good writeup. I think the only think I would have followed through with is modifying my signature of my IRC client to match whatever the server was looking for. Without more information about what that IRC client is doing and how it’s communicating it’s difficult to know for sure if there is a hole there but it feels like there might be.
Obviously transmission of passwords in the clear is bad, but it’s not a deal breaker. Anyway, yes, there’s lots more that could be done here, but Luny did a great job in explaining some of the issues faced when attempting to dissect a Java based application when doing a web application security review.
