Java Image Information Leakage And Another Theory
I’ve been sitting on this one for about two years now, and I still haven’t done anything with it, nor do I think it can really work in the way I originally came up with, but I thought it might be better to throw it out to the public in case anyone else has something ingenious in their heads. Several years back when I was first working on cross domain leakage I realized that Java has access to images pulled from remote sites. You can see this with fun things like waves in images or whatever. Flash pretty much took over where Java left off, so not a lot of people went beyond that for animation (what’s the point when Flash makes it so easy?).
But herein lies the information disclosure. The image itself is read by Java and it is linked to from another domain. If Java can parse apart the pixels and perform actions on them (log them to a remote host via form submission), that means it has access to read information from other domains. Now that’s not particularly sexy unless there is some sensitive information in an image (think bill pay services that scan bills in). But what I was really going after is some way for Java to read each pixel of a page (probably an iframe). Sort of a pixel by pixel scan of the underlying page.
Sure the output wouldn’t be text, but an image representation of cross domain information could be almost as valuable (or could be fed through a image to text conversion tool). Like I said, this isn’t proven, and I don’t even know if it would ever be possible, but I’ve also not put a ton of thought into it, nor have I sliced and diced a lot of Java programs looking for ways to do this. The obvious trains of thought were using transparent images, calling a page an image, using embeds or other similar things. No, I have no proof that any of this would work, it’s just a theory that I wanted to throw out there in case anyone could think of anything spectacularly ingenious. Take it or leave it.
March 6th, 2007 at 4:40 pm
Hmm I had an idea quite similar to this a month back or so, using flash (although I don’t know how well it supports my intended vector, if at all) frames, and AJAX… hmm, I’ll be looking into it I think.
p.s stop saying sexy, I’m sure you stole that from me!
March 6th, 2007 at 5:23 pm
I don’t code in Java, but I’ve seen similar things in other languages such as simple CAPTCHA recognition, or image to macro programs. I’m sure if it’s possible to call the image it can be done, but as far as the iframe concept couldn’t the Java replicate the page pixel by pixel, and then store it similar to a high score list in a game?
March 6th, 2007 at 5:30 pm
Interesting thought RSnake…
What about this, -just thought it up while reading your art.- If you can run an applet on a website, it already passed the surfers firewall -in a loose sense that is- So, if it is just like the natted IP, it can perform dangerous stuff. IP’s are one of them as we know, but what about taking screenshots from the surfers browser? maybe pixel per pixel, but given enough enough data you can reconstruct it back. Or maybe with some low-tech information leakage like some noise which can be converted back to a greyscale snapshot of the computers screen.
If C or C++ can do this, Java can also. But, a problem with java is the sandbox around it. There are known techniques to force Java out of it’s sandbox, but to my knowledge i’ve never seen it done in the wild. So it’s speculation.
Anyway, it’s my wild -sexy yes
contribution.
March 6th, 2007 at 5:41 pm
ooops.. looking back on your article it’s almost the same as my comment, did not read it correctly. sorry
But, RSnake what about subliminal channels? which only leak subtle amounts of information. I’ve been studying these things a bit, and they are sure worth to invest some time in. Such subliminal channels like used in military equipment are flaws that where put there intentionally to leak some amounts of information, like encryption keys. Given this fact it could be used in software.
Anyway, you sparked my imagination just now
cool stuff to think about on intellectual level.
March 6th, 2007 at 8:39 pm
You could use images and steganography to hide your malicious payloads. Simply load up an applet (or call Java via JS, however haven’t done this other than getting an ip addy) and contain the evil payload in an image. Essentially utilizing steganography as a payload channel. Obviously could be reversed with jad but would be more of a pain in the ass for most people.
It would be interesting if this applied to movie formats as well (some allow scripts). Perhaps have an applet call script within a movie/overload the methods in it in the remote context. Pure speculation/I’m thinking out loud but would be nifty.
- zeno
http://www.cgisecurity.com/
March 12th, 2007 at 7:51 am
I’m not really an expert on Java, and therefore my theory may be based on an incorrect assumption, or an incorrect understanding of this issue.
However, is Java’s access to the images based on the DOM, for instance the image being denoted by an IMG tag? Or is it something else?
Because, it would seem that if Java has access to IMG tags, then combining this with CSRF, might allow Java access to any content pulled from another domain? Or did I miss the point of Java’s cross-domain protection?
April 2nd, 2007 at 9:43 am
how can u access elemnts from another domain using ajax?
May 18th, 2007 at 12:18 pm
sorry for the late response on this, but here is my $0.02.
I am a Java Web Developer, so I have been trying to figure a way to do what you are trying to say, but there really is no straight-forward way to achieve what you are asking. With Applets, you would have to find a way to bypass the SecurityManager of the JVM in which the applet is running to get at the elements in a page which the applet was running, and even then, your access would be severely crippled at best.
You could, theoretically, create 2 applets that load independantly of eachother, use one to load a payload, one to download the executor for that payload and display something pretty to mask what is happening behind the scenes then have some tricky RMI call into the OS that executed the payload ( which would most likely have to be implemented in JNI (C++) to bypass the JVM’s independancy from the host OS.
However, that is only a very theoretical possibility.
Now when JavaFX comes out, things will be very different, you will have direct access to elements on the page, etc.