Corrupted Jars - Demonstration

The demonstration shows how the Sun Java Runtime Environment (JRE) will load JAR files that have been corrupted. In this example, a picture is prepended to the JAR file so that it appears to be an image and not a JAR file. This approach was suggested by PDP's Java JAR Attacks and Features post.

Getting The Picture

The following image has had a JAR file appended to it. In the browser, it renders as a normal picture. But to the JRE, it appears to be a JAR file with a bunch of junk at the beginning.

Jars of Jelly, by adactio (http://flickr.com/photos/adactio/42127145/)

How It Works

As PDP observed, the JRE seems to able to processed JAR files that have been corrupted. We choose an innocuous format such as JPEG. An applet is created that performs whatever actions against the server that is hosting the applet. The same-origin policy for applets allows the applet to make socket connections back to server that it was downloaded from (the latest JRE 1.6u3 contains fixes for DNS rebinding that may complicate this, but it should work in most cases).

The page invoking the applet can make XMLHttpRequest connections back to the server it is hosted on. So, if the page and the applet are hosted on two different servers, the JavaScript and applet combination can form a bridge between the two servers.

The Code

Try It Out

Try the demo below. Or, download the image above and save it to a web server that you have access to. Then, set the "Codebase" to the directory where the file has been placed. If you change the name of the image, update the "Archive" name. Depending on your JRE version, proxies and DNS settings, the "Direct Socket" option may need to be set to false. When it is false, the applet attempts to use a URLConnection instead.

Demo

(Tested on Linux and Windows using Firefox 2.0.0.9 2.0.0.11 and Sun JRE 1.6u3 1.6u4)