Java 0-day exploit question

Post a reply


In an effort to prevent automatic submissions, we require that you complete the following challenge.
Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: Java 0-day exploit question

Re: Java 0-day exploit question

by Thrawn » Thu Nov 29, 2012 11:41 am

In case you ever want to include non-alphanumeric URL characters - like hyphens and underscores - I would also change \b[\w-]* to (-\w+)* and [\w.]*\b to (\w+\.)*. That way, you could easily change it to, eg, ([\w_-]+\.)*, and it would work properly. [\w._-]*\b would allow eg 'www_chessgames.com', which is actually a completely different site to chessgames.com.

This would result in:

Code: Select all

application/x-java(-\w+)*@https?://(\w+\.)*(((example)|(chessgames)|(yahoo))\.com)|(yahoo\.net)/.* application/x-silverlight@https?://(\w+\.)*((example)|(microsoft)\.com)/.*

Re: Java 0-day exploit question

by Thrawn » Wed Nov 28, 2012 11:08 am

HamptonHawes01 wrote:

Code: Select all

application/x-java\b[\w-]*@https?://([\w\.]+)?\b(example\.com|chessgames\.com|yahoo\.com|yahoo\.net)/* application/x-silverlight@https?://([\w\.]+)?\b(example\.com|microsoft\.com)/*

I'm amazed that it actually seems to work. Well, it seems to be working correctly.

Bravo! You get an A+ for effort!

I can see some ways to simplify it - like replacing ([]?)+ with []*, using only a single protocol (can you use just https, or is http necessary?), and there's no need to escape dots inside square brackets - but you've done an impressive job.

Also, I don't think that the trailing slash is necessary - I think allowedMimeRegExp just works with hostnames - but if it is, then /* is wrong; it means 'zero or more slashes'. Maybe you meant /.* (slash followed by zero or more arbitrary characters)?
My goal is to set up something that works per domain, is easy to "read" and to edit

Well, regex was not designed for its aesthetics...but you could separate out the various domains (chessgames.com, yahoo.com, etc) into separate rules, which might make it more readable, at the cost of having more duplication.

I tested the java regex on chessgames.com and at games.yahoo.com and it worked.

I can't test the silverlight regex right now because I don't have it installed (yet).

Fair enough. Are you sure that you'll want Silverlight? I don't have it installed, and never plan to.

HamptonHawes03 wrote:This forum didn't like the end of my post. In fact - I had to edit this post over and over to be able to get it to work.

Yeah, that happens a lot here, because the spam filter doesn't like links, and of course legitimate posts on this forum are full of links.

If you really need to post something, just send it to a moderator via private message, and we can post it for you (we don't get filtered).

Is my regex designed correctly?

It looks pretty good, especially for someone who hates regex.

At games.yahoo.com the tab was sometimes empty before today. I think the problem was do to ads getting blocked. Now that I have a regex - If a site named annoying.com wants to run an ad - will my regex allow it? I actually want the answer to be "Yes." That way annoying.com can do its thing and noscript (or a[d]block) will stop me from seeing the annoyance anyway.

Actually, if it were to be allowed, then NoScript would not block it - but yes, Adblock/ABP might.

But if the ad is coming from a third-party site, then the answer is "no". In my experience, though, things often still work.

OK, here's my attempt at a (slight) improvement on your regex:

Code: Select all

application/x-java\b[\w-]*@https?://[\w.]*\b(((example)|(chessgames)|(yahoo))\.com)|(yahoo\.net)/.* application/x-silverlight@https?://[\w.]*\b((example)|(microsoft)\.com)/.*

Note that I've put brackets around words when separated by |, because otherwise the | would apply only to single characters.

Re: Java 0-day exploit question

by HamptonHawes03 » Wed Nov 28, 2012 2:50 am

This forum didn't like the end of my post. In fact - I had to edit this post over and over to be able to get it to work.

---

Questions

= Is my regex designed correctly?

= At games.yahoo.com the tab was sometimes empty before today. I think the problem was do to ads getting blocked. Now that I have a regex - If a site named annoying.com wants to run an ad - will my regex allow it? I actually want the answer to be "Yes." That way annoying.com can do its thing and noscript (or a[d]block) will stop me from seeing the annoyance anyway.

Re: Java 0-day exploit question

by HamptonHawes01 » Wed Nov 28, 2012 2:44 am

I'm the original poster.

For months I've been allowing sites each time by clicking the noscript icon.

Today I tried to create a per site regex.

God, do I hate regex. After much gnashing of teeth - I came up with this:

Code: Select all

application/x-java\b[\w-]*@https?://([\w\.]+)?\b(example\.com|chessgames\.com|yahoo\.com|yahoo\.net)/* application/x-silverlight@https?://([\w\.]+)?\b(example\.com|microsoft\.com)/*

I'm amazed that it actually seems to work. Well, it seems to be working correctly.

My goal is to set up something that works per domain, is easy to "read" and to edit

If it's designed correctly - it should allow an entire domain to run java or silverlight.

In other words - right now it's set up...

for java - example.com, chessgames.com, yahoo.com (yahoo.net is in there just in case)

for silverlight - example.com, microsoft.com

I tested the java regex on chessgames.com and at games.yahoo.com and it worked.

I can't test the silverlight regex right now because I don't have it installed (yet).

Re: Java 0-day exploit question

by therube » Fri Aug 31, 2012 3:39 pm

(
Even though Adobe has released patches for this 0-day, there appears to be a spin on the (or another) vulnerability such that your are still vulnerable even with the latest patch installed.

Additionally: [Java Not Blocked in 17].
)

Re: Java 0-day exploit question

by tlu » Fri Aug 31, 2012 3:34 pm

Giorgio Maone wrote:@tlu: I've got no idea of why your mime-type@site.com rules appear to work.
They shouldn't.


Okay, I repeated my tests and found the following:

1. On http://java.com/en/download/installed.jsp?detect=jre the rule seems to work: The code that tried to detect my java version didn't come to an end. (However, this might be influenced by the fact that I don't use Oracle Java but Icedtea.)
2. http://javatester.org/version.html recognized my version as 1.6.0_24 from Sun Microsystems.

On some other sites I tested java also worked. In my earlier tests I might have forgotten to allow plugins via click-to-play. :evil: (However, on some sites the CTP symbol was not displayed in FF as it should - this might have contributed to my error.)

I stand corrected. :oops:

Re: Java 0-day exploit question

by Giorgio Maone » Thu Aug 30, 2012 10:38 pm

HamptonHawes01 wrote:In the about:config preference I can only use spaces to separate one "chuck" of code from another, right?

Right
HamptonHawes01 wrote:What do I use as a separator between URLs?

They're not URLs, but regular expressions which are matched against the
mime-type@full-url
string at load time.

Therefore, to accomplish what you seem to be wanting to accomplish, you need to assemble your URL patterns using parenthized groups and the vertical pipe ("|") as the separator, like this:

Code: Select all

application/x-java\b[\w-]*@https?://(?:chessgames\.com|example\.com)/.* application/x-silverlight@https?://(?:research\.microsoft\.com|example\.com)/.*

As I said, not "point-and-click easy", but easy enough if you know regular expressions.

Re: Java 0-day exploit question

by HamptonHawes01 » Thu Aug 30, 2012 10:26 pm

Giorgio Maone wrote:You need to check NoScript Options|Embeddings|Apply these restrictions to whitelisted sites as well, then use the noscript.allowedMimeRegExp about:config preference to specify your whitelist.
HamptonHawes01 wrote:
  • I'd like an example that blocks all Java.
  • I'd like an example that allows Java to only work on chessgames.com
  • I'd like an example that blocks all Silverlight.
  • I'd like an example that allows Silverlight to only work on microsoft.com (or even better only research.microsoft.com).

  1. NoScript Options|Embeddings|Apply these restrictions to whitelisted sites as well must be checked, like Forbid Java and Forbid Silverlight on the same panel.
  2. the noscript.allowedMimeRegExp about:config preference must contain the following entries:

    Code: Select all

    application/x-java\b[\w-]*@https?://chessgames.com/.* application/x-silverlight@https?://research\.microsoft\.com/.*

A few quick questions before I hunker down to figure everything out...

  • In the about:config preference I can only use spaces to separate one "chuck" of code from another, right?
  • What do I use as a separator between URLs? In other words - can I use a semi-colon like this?

    Code: Select all

    application/x-java\b[\w-]*@https?://chessgames.com/.*;https?://example.com/.* application/x-silverlight@https?://research\.microsoft\.com/.*;https?://example.com/.*
  • I forgot my third question. Oh, well - I'll be asking more questions later.

Re: Java 0-day exploit question

by Giorgio Maone » Thu Aug 30, 2012 9:15 pm

@tlu: I've got no idea of why your mime-type@site.com rules appear to work.
They shouldn't.
Did you check whether disabling them changes anything?

HamptonHawes01 wrote:Here's my new question - "Is is possible to create a defacto-whitelist for each plug-in?"

Yes it is, but it's not point-and-click easy.
You need to check NoScript Options|Embeddings|Apply these restrictions to whitelisted sites as well, then use the noscript.allowedMimeRegExp about:config preference to specify your whitelist.
HamptonHawes01 wrote:
  • I'd like an example that blocks all Java.
  • I'd like an example that allows Java to only work on chessgames.com
  • I'd like an example that blocks all Silverlight.
  • I'd like an example that allows Silverlight to only work on microsoft.com (or even better only research.microsoft.com).

  1. NoScript Options|Embeddings|Apply these restrictions to whitelisted sites as well must be checked, like Forbid Java and Forbid Silverlight on the same panel.
  2. the noscript.allowedMimeRegExp about:config preference must contain the following entries:

    Code: Select all

    application/x-java\b[\w-]*@https?://chessgames.com/.* application/x-silverlight@https?://research\.microsoft\.com/.*

Re: Java 0-day exploit question

by HamptonHawes01 » Thu Aug 30, 2012 3:17 pm

I am now 100% confused.

tlu

I tried the javatester.org page - it worked.

chessgames.com fails. Java loads.

=====

My original question was "Does Noscript have a Java only whitelist?" Okay, so the answer is "No."

Here's my new question - "Is is possible to create a defacto-whitelist for each plug-in?"

If it's possible...

  • I'd like an example that blocks all Java.
  • I'd like an example that allows Java to only work on chessgames.com
  • I'd like an example that blocks all Silverlight.
  • I'd like an example that allows Silverlight to only work on microsoft.com (or even better only research.microsoft.com). Project Tuva is a huge number of lectures by Richard Feynman that requires Silverlight is work. Because of Feynman - I'm willing to allow to that bloated piece of proprietary nonsense with possible security holes to run. Otherwise - I don't want it functioning anywhere.
=====

If it's defacto-whitelist aren't possible - I have a feature request. Please make them possible.

I see zero benefit in allowing things like Java and Silverlight to run on all the sites in my whitelist. I don't trust them. I don't like them. If you don't like your brother-in-law - you might still be okay (more or less) with having him over for the holidays. But you sure don't let him start to live on your couch.

Re: Java 0-day exploit question

by tlu » Thu Aug 30, 2012 1:27 pm

Giorgio,

btw - I am not the only one for which this rules work. Look what Tom once wrote here.

Re: Java 0-day exploit question

by tlu » Thu Aug 30, 2012 1:22 pm

Giorgio Maone wrote:
tlu wrote:Site java-vm@*.*
Deny

Sorry, there's a misunderstanding here.
Syntax like "java-vm@*" or, more in general, "some-mime-type@some-url" cannot work in ABE (even though is used in NoScript's Blocked Objects menu) because at the time ABE runs (before hitting the network) the mime type of the loaded resource is unkown.
Therefore ABE cannot help blocking just one type of file, even though you can use to block *any kind* of plugin embedding (i.e. Java AND Flash AND Silverlight...) except on sites a.com, b.com and c.com with a rule like:


Giorgio, now I'm confused. I tested that rule, and Java was successfully blocked on several test-sites. However, flash still works on, e.g., youtube and other sites which shouldn't be the case according to what you said ... :? Or am I misunderstanding something?

Re: Java 0-day exploit question

by Giorgio Maone » Thu Aug 30, 2012 1:06 pm

tlu wrote:Site java-vm@*.*
Deny

Sorry, there's a misunderstanding here.
Syntax like "java-vm@*" or, more in general, "some-mime-type@some-url" cannot work in ABE (even though is used in NoScript's Blocked Objects menu) because at the time ABE runs (before hitting the network) the mime type of the loaded resource is unkown.
Therefore ABE cannot help blocking just one type of file, even though you can use to block *any kind* of plugin embedding (i.e. Java AND Flash AND Silverlight...) except on sites a.com, b.com and c.com with a rule like:

Code: Select all

Site *
Accept from .a.com .b.com .c.com
Deny INCLUDE(OBJ)

Re: Java 0-day exploit question

by tlu » Thu Aug 30, 2012 10:45 am

HamptonHawes01 wrote:
= [checked] Apply these restrictions to whitelisted sites too.
This is checked. Does this matter?


No, that shouldn't matter in this case.


I clicked "OK" and went to this "test page" at chessgames.com

Paul Morphy vs Duke Karl / Count Isouard (1858) "A Night at the Opera"

The Java interface for the chess board still loaded.

I restarted Firefox and went back to the page and the Java interface for the chess board still loaded.


I'm not familiar with that site and didn't try it. However, you can test if Java works for you, e.g., on

http://javatester.org/version.html

and

http://java.com/en/download/installed.jsp

It didn't work for me on both sites with the settings I told you.

Re: Java 0-day exploit question

by HamptonHawes01 » Wed Aug 29, 2012 7:38 pm

tlu wrote:Another method: uncheck "Forbid Java" in Noscript Options -> Embeddings tab and add the following rule in Options -> Advanced -> ABE -> User:

Site java-vm@*.*
Deny

This blocks java on any site. If you want to define an exception for sites like, e.g., abc.org or xyz.com, this rule should look like this:

Site java-vm@*.*
Accept from .abc.org .xyz.com
Deny

Details regarding ABE can be found on http://noscript.net/abe/

I don't understand. I can't get it to work.

= [unchecked] "Forbid Java" in Noscript Options -> Embeddings tab
It's now unchecked.

= [checked] Apply these restrictions to whitelisted sites too.
This is checked. Does this matter?

Code: Select all

Site java-vm@*.*
Deny

I put it in SYSTEM. And now the code appears in SYSTEM and in USER.

[checked] Enable ABE

[unchecked] Allow sites to push their own rulesets

[checked] WAN IP

=====

I clicked "OK" and went to this "test page" at chessgames.com

Paul Morphy vs Duke Karl / Count Isouard (1858) "A Night at the Opera"

The Java interface for the chess board still loaded.

I restarted Firefox and went back to the page and the Java interface for the chess board still loaded.

Top