pseudo-flaw.net

PDP from GNUCITIZEN suggested that Java applets can be load from corrupted JAR files. I'm not sure what browser or JRE he was working with, but after following his documented steps I was ready to call shenanigans. Combining a JPEG and a JAR did result in a file that could be opened as an image as well as extracted as a PKZIP archive (this is a totally old-school, ghetto stego trick). On Mac OS X (with Firefox 2.0.0.9) the corrupted file wouldn't load as an applet. And on Linux, the 1.6u3 Sun JRE exhibited the same behavior. The applet would be downloaded but when processed it wouldn't load.

Finally, as a last resort, I tried using Windows and was able to get some success with Firefox and 1.6u3. The JRE would generally load the applet no matter what the garbage content was in front of it. I decided I had done something wrong in my Mac and Linux tests and went back to re-test.

After re-testing, Linux appears to be susceptible to this trick as well, but not as consistently. There is some strange cache behavior that appears to influence whether or not the file is recognized as an applet. I'm thinking that if a user visits the file before it has been corrupted, it won't be recognized as an applet later.

I've come to the conclusion that Mac OS X isn't affected by this issue. Apple provides its own Java Environment and there must be some difference that is preventing this trick from working.

Online demonstration coming soon.