Paid Advertising
web application security lab

DNS Rebinding In Java Is Back

9 posts remaining…

Stefano Di Paola has an interesting article about DNS Rebinding in Java. Apparently he’s found a way to bring back some of the older exploits that were supposedly fixed in Java back in 2007-2008 timeframe. Really cool read. Half way through reading it I realized that this would enable exploits like the one where sites often have tied back to The old exploit worked in that if you could ever find an XSS in a local service you could set cookies for domain, or read any cookies that were set to the entire domain. It’s a nasty exploit, but rare because there don’t tend to be a lot of local services installed on desktop computers that are vulnerable to XSS by default.

Then I kept reading and he enumerates that exact use case - great minds think alike! Anyway, this apparently will be fixed in a future update, but now that we’ve seen DNS rebinding hit Java twice, I think Java needs to have a much more critical eye. Things like this shouldn’t be sitting around for years before they’re noticed. Like inter-protocol exploitation this research needs a lot more eyes. Great work by Stefano!

3 Responses to “DNS Rebinding In Java Is Back”

  1. Joshbw Says:

    There are a lot of other reasons why Java needs to have a much more critical eye:

    I gave up on client side Java a long time ago. Most of the apps using it are utterly terrible and Sun/Oracle can’t seem to write a secure runtime for clients. A JVM is not touching my desktop.

  2. Stefano Di Paola Says:

    Hey Robert, thanks for the kind words :)

    I hope the issue have been fixed in the Java update 22. But I didn’t check if there are any bypass.

    Consider reading the following post:

    which describes what could happen putting DNS Rebinding and Java Same IP Origin Policy.

  3. Sasha Says:

    Java has many dark alleys.

    Java Remote Method Invocation (RMI) for JS LiveConnect for example: java.rmi in JavaScript:

    c = java.rmi.registry.LocateRegistry;
    r = c.getRegistry(””);
    s = r.lookup(”lol”);

    Then the attacker can set up and run his own remote java application that allows any IP to communicate with that client, thus bypassing SOP. Not to mention Naming.rebind() :D

    So yeah, running Java in your browser these days is asking for problems. Enjoy. ;)