Java 1.6u4 and Some Old Hacks Revisited
Sun's Java SE 6 Update 4 was released a few weeks ago. It isn't currently showing up on java.com, but it can be downloaded directly from Sun: Java SE Downloads. Read the Java SE 6 Update 4 Release Notes.
There haven't been any specific security advisories posted by Sun, so this may have been a bug fix only release. Or, maybe they are just waiting.
In any case, I thought it would make sense to revisit some old demonstrations I posted to see if they still worked:
- Corrupted Jars - Online Demonstration
- Java Socket Restrictions, Proxy Servers, and the URLConnection
Both of the online demos are still available and function just as before. So, it doesn't appear there were fixes or changes in either of these two areas.
The JAR file masquerading as an image still loads as an applet:
$ unzip -l jars.jpg
Archive: jars.jpg
warning [jars.jpg]: 25336 extra bytes at beginning or within zipfile
(attempting to process anyway)
Length Date Time Name
-------- ---- ---- ----
0 11-20-07 23:06 META-INF/
68 11-20-07 23:06 META-INF/MANIFEST.MF
3382 11-20-07 23:06 CorruptedApplet.class
-------- -------
3450 3 files
Results from Linux using the URLConnection class and local proxy server:
[*] beginning demo [*] Firefox detected [*] Java is enabled [*] LiveConnect present [*] found Java plugin: Java(TM) Plug-in 1.6.0_04-b12 (libjavaplugin_oji.so) [*] starting pwn [*] requesting http://localhost.pseudo-flaw.net:80/ [*] demo completed
Results from Windows using the URLConnection class and local proxy server:
[*] beginning demo [*] Firefox detected [*] Java is enabled [*] LiveConnect present [*] found Java plugin: Java(TM) Platform SE 6 U4 (npjava11.dll) [*] found Java plugin: Java(TM) Platform SE 6 U4 (npjava12.dll) [*] found Java plugin: Java(TM) Platform SE 6 U4 (npjava13.dll) [*] found Java plugin: Java(TM) Platform SE 6 U4 (npjava14.dll) [*] found Java plugin: Java(TM) Platform SE 6 U4 (npjava32.dll) [*] found Java plugin: Java(TM) Platform SE 6 U4 (npoji610.dll) [*] found Java plugin: Java(TM) Platform SE 6 U4 (npjpi160_04.dll) [*] starting pwn [*] requesting http://localhost.pseudo-flaw.net:80/ [*] demo completed
With the corresponding entry and arbitrary referer in the local web-server's Apache logs:
127.0.0.1 - - [30/Jan/2008:05:46:22 -0000] "GET / HTTP/1.1" 200 5258 "http://www.google.com/search?q=pwned&btnI=I%27m+Feeling+Lucky" "Mozilla/4.0 (Linux 2.6.20-16-generic) Java/1.6.0_04 Paros/3.2.13" "-"
Wonder what the next Java update will bring?