[RESOLVED] samy.pl bypasses NS content blocking (Java)

Ask for help about NoScript, no registration needed to post
milithruldur

[RESOLVED] samy.pl bypasses NS content blocking (Java)

Post by milithruldur » Sat Nov 20, 2010 4:08 am

Any thoughts on how the site at samy.pl manages to bypass NS content blocking for Java? NS manages to block Flash, but not Java. I have set to block Java, Flash, Silverlight, other plugins, a/v tags, and @font-face, and applied the restrictions to whitelisted sites too. I have not previously allowed any embeddings from the site.

Apart from that, if one goes directly to http://samy.pl/natpin/ without going to the main page, and then clicks the "like this (FF/Opera only)" link, which invokes this js code:

Code: Select all

function getNetInfo() {
   var sock = new java.net.Socket();
   sock.bind(new java.net.InetSocketAddress('0.0.0.0', 0));
   sock.connect(new java.net.InetSocketAddress(document.domain, (!document.location.port)?80:document.location.port));
   return sock.getLocalAddress().getHostAddress();
}

then NS doesn't seem to be able to block the Java plugin from loading, even though it is set to block the same, even from whitelisted sites.
It would be quite alarming if such a site can employ workarounds that bypass NS content blocking, as I believe NS mechanisms for content blocking is the best mechanism one can have in Gecko-based browsers that support the extension. Also, view page source for the main page from the site results in a blank page. I guess such anomalies are to be expected from another master coder.

Off topic and a quick inquiry: What could be causing this error message to be logged in the console?

Code: Select all

Error: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMEventTarget.removeEventListener]
Source file: chrome://noscript/content/Main.js
Line: 152

/m
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101028 Firefox/3.6.12 (Palemoon/3.6.12)

al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: samy.pl bypasses NS content blocking (Java)

Post by al_9x » Sat Nov 20, 2010 7:57 am

The typical way to invoke the Java VM is via an applet (<emded>, <applet>, <object> tags). This is what NS blocks through its embeddings settings. But Java supports another method called LiveConnect, allowing the calling of Java api directly through javascript, without any embeddings. That's what that page demonstrates. It's likely that NS was never designed to block this. Seems like a good idea though, I wouldn't want any java running without permission.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

Guest

Re: samy.pl bypasses NS content blocking (Java)

Post by Guest » Sat Nov 20, 2010 8:46 am

al_9x wrote:The typical way to invoke the Java VM is via an applet (<emded>, <applet>, <object> tags). This is what NS blocks through its embeddings settings. But Java supports another method called LiveConnect, allowing the calling of Java api directly through javascript, without any embeddings. That's what that page demonstrates. It's likely that NS was never designed to block this. Seems like a good idea though, I wouldn't want any java running without permission.

Wouldn't NS block the javascript though?
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: samy.pl bypasses NS content blocking (Java)

Post by al_9x » Sat Nov 20, 2010 9:01 am

Guest wrote:Wouldn't NS block the javascript though?


Yes, JavasScript has to be allowed for it to make LiveConnect Java calls.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

milithruldur

Re: samy.pl bypasses NS content blocking (Java)

Post by milithruldur » Sat Nov 20, 2010 9:44 am

al_9x wrote:It's likely that NS was never designed to block this. Seems like a good idea though, I wouldn't want any java running without permission.

+1

Thanks. Hopefully in the future, NoScript can alert against this type of plugin loading for Java, even better if it can be blocked. This is so that the user may be made aware that by enabling, either temporarily or permanently, scripting to run in a page, then the content that should've been blocked by the NS content blocker, if configured to be a general content blocker, will run as well.

A user might be wanting to run scripts from a page to allow it to function normally, but then may not be desiring for plugins to come executing without explicit permission.

Having come to know of this technique of running Java content that can bypass content blockers, who knows if the other plugins employ such other techniques as well.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101028 Firefox/3.6.12 (Palemoon/3.6.12)

User avatar
Giorgio Maone
Site Admin
Posts: 8685
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: samy.pl bypasses NS content blocking (Java)

Post by Giorgio Maone » Mon Nov 22, 2010 3:16 pm

milithruldur wrote:
al_9x wrote:It's likely that NS was never designed to block this. Seems like a good idea though, I wouldn't want any java running without permission.

+1
Thanks. Hopefully in the future, NoScript can alert against this type of plugin loading for Java, even better if it can be blocked.

Notice that it won't run anyway, unless you allow JavaScript.
Also, LiveConnect for Java can be "disabled" (crippled, more exactly) with a simple surrogate:

Code: Select all

noscript.surrogate.nojava.replacement=delete window.java
noscript.surrogate.nojava.sources=*

Since invoking Java code directly from JavaScript this way has almost no use in nowadays websites, I'll probably add this surrogate by default or make a more friendly one which cooperates with the "Blocked objects" feature (maybe by adding an empty applet on the fly to pages which attempt to use this trick and checking whether it gets enabled or not, before granting access to the java.* packages).
Having come to know of this technique of running Java content that can bypass content blockers, who knows if the other plugins employ such other techniques as well.

I know. Other plugins don't, and LiveConnect is already deprecated.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

milithruldur

Re: samy.pl bypasses NS content blocking (Java)

Post by milithruldur » Tue Nov 23, 2010 12:37 am

Giorgio Maone wrote:I know. Other plugins don't, and LiveConnect is already deprecated.


Thanks for the update.

Giorgio Maone wrote:I'll probably add this surrogate by default or make a more friendly one which cooperates with the "Blocked objects" feature (maybe by adding an empty applet on the fly to pages which attempt to use this trick and checking whether it gets enabled or not, before granting access to the java.* packages).


It would be nice to have that as well, so that it can be enabled at will via the menu.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101028 Firefox/3.6.12

User avatar
Giorgio Maone
Site Admin
Posts: 8685
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: samy.pl bypasses NS content blocking (Java)

Post by Giorgio Maone » Tue Nov 23, 2010 11:38 pm

Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: samy.pl bypasses NS content blocking (Java)

Post by al_9x » Wed Nov 24, 2010 2:18 am

Giorgio Maone wrote:Please check latest development build.


You are disabling the java plugin (in the plugin manager), and it doesn't get re-enabled even when java blocking or apply to trusted is turned off, neither when you allow through the blocked objects menu.

Code: Select all

<button onclick="alert(java.lang.Math.PI);">PI</button>

Why touch the plug-in at all? Isn't killing window.java sufficient? NS approach has always been blocking otherwise enabled content. Disabling, rather than blocking, doesn't seem right.
Last edited by al_9x on Wed Nov 24, 2010 6:18 am, edited 2 times in total.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101122 Firefox/3.6.13

milithruldur

Re: samy.pl bypasses NS content blocking (Java)

Post by milithruldur » Wed Nov 24, 2010 2:52 am

As pointed out, it doesn't enable the blocked LiveConnect object. Test case using the samy.pl website. Enabling the blocked java-vm object doesn't run the code, nor does the Java console systray icon appear. The NS icon still shows blocked content even though previously temporarily allowed.

Normal Java blocking via the tags doesn't seem to be affected.
Mozilla/5.0 (Windows NT 5.1; rv:2.0b7) Gecko/20101111 Firefox/4.0b7

User avatar
Giorgio Maone
Site Admin
Posts: 8685
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: samy.pl bypasses NS content blocking (Java)

Post by Giorgio Maone » Wed Nov 24, 2010 11:33 am

al_9x wrote:You are disabling the java plugin (in the plugin manager)

Yes, this is needed in order not to make Firefox start a JVM each time we replace the Packages and the java window properties for interception.
Unfortunately, the way Gecko implements these "features" make a JVM being started each time these properties are resolved, therefore there's no way to safely touch them (even just with a delete statement or a re-declaration) unless the plugin is disabled outright.
al_9x wrote:, and it doesn't get re-enabled

This is actually a bug I'm trying to spot and fix. If you look at the code, it should be clear that the intention is re-enabling it as soon as the java-related properties have been replaced for interception (i.e. before the page starts to be parsed).
On a side note, this bug doesn't happen on Minefield, where this system works beautifully, pending some reloading inconsistencies which I'm fixing as well.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: samy.pl bypasses NS content blocking (Java)

Post by al_9x » Wed Nov 24, 2010 1:11 pm

So java will have to be toggled for every script allowed doc? Is that a sufficiently lightweight operation to do frequently? Perhaps most of it can be optimized away. When forbid java + apply to trusted is set, could java just be kept disabled, until activated somewhere? If placeholder creation still works with java disabled, this will keep it off most of the time without any toggling.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101122 Firefox/3.6.13

User avatar
Giorgio Maone
Site Admin
Posts: 8685
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: samy.pl bypasses NS content blocking (Java)

Post by Giorgio Maone » Wed Nov 24, 2010 2:54 pm

al_9x wrote:So java will have to be toggled for every script allowed doc?

Yes, unless you allowed Java for that site.
al_9x wrote:Is that a sufficiently lightweight operation to do frequently?

Not sure. I tested it about 100ms on a 2.4Ghz processor (multicore doesn't make any difference since it happens all in one thread).
It's not huge, but neither negligible...
al_9x wrote:Perhaps most of it can be optimized away. When forbid java + apply to trusted is set, could java just be kept disabled, until activated somewhere? If placeholder creation still works with java disabled, this will keep it off most of the time without any toggling.

It sounds attractive, but it would probably lead to confusion and bad surprises: when you go, for any reason, to disable the plugin manually you find it's already disabled, but when you uninstall NoScript it gets silently enabled again?
However as soon as any Java is allowed anywhere, we should fallback again to toggling, I'm afraid.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: samy.pl bypasses NS content blocking (Java)

Post by al_9x » Wed Nov 24, 2010 6:59 pm

Giorgio Maone wrote:It sounds attractive, but it would probably lead to confusion and bad surprises: when you go, for any reason, to disable the plugin manually you find it's already disabled, but when you uninstall NoScript it gets silently enabled again?

It could be confusing, but considering how little java is used in the browser, I think its worth avoiding any regular hackrobatics for its sake.

Also it's almost a feature: java is so off (until you need it) that it can't even theoretically harm you.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101122 Firefox/3.6.13

User avatar
Giorgio Maone
Site Admin
Posts: 8685
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: samy.pl bypasses NS content blocking (Java)

Post by Giorgio Maone » Wed Nov 24, 2010 7:15 pm

Made some tests, and it's definitely not worth the effort, the complexity and the confusion.
In fact, disabling and reenabling the plugin is matter of 5 milliseconds, while the bulk of the time taken by the LiveConnect interception machinery is caused by the first window.java resolution (delete window.java), which triggers lots of Gecko initializations before failing because the Java plugin is disabled.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

Post Reply