[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Reducing java leakage in windows
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: Reducing java leakage in windows
- From: Arrakis <arrakistor@xxxxxxxxx>
- Date: Tue, 04 Dec 2007 09:16:20 -0600
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Tue, 04 Dec 2007 10:18:47 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; bh=Z5HUSQauzu4senzu8BKhCJsaoxDJXsLpMvSG77PkLIQ=; b=SoDngpdgV4R0Vqxsf8HTTIQj2DIK/Tkp1GDQeVCp65/IAEXjjy8Xhee+2jjNbbdd/2xDJmvf/7opCwGS6ecxCoxoPOgFWtqV9yafyRqDQVkbs8EwUwHQPpMKv+LQwCvx42ZdHwD9lFa9n5nxww+2rtw1/5mhYOa/aVHygXKIFak=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=enMI6RTwG9rewfzilj8TzPdy9Z4ORyXKRwvSjtbBpFWW4M99hP0Bs2YSZKx3UAxoUSBeStr2/G9skwYqP28Tt9dWkdiT/LJtZAkuiGPEfkyUau5Aem0w/PUbsJiHUbSnNs5g3ZvMmEAsuD1BLR2veeK8n1p5GUJTrpKgFEPH384=
- In-reply-to: <815913.99853.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
- References: <815913.99853.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
- User-agent: Thunderbird 2.0.0.9 (Windows/20071031)
In the latest build of xB Browser, if you foolishly trust metasploit to allow
scripts, you get the following results:
External Address 206.57.47.50 Browser (CONTROL)
Internal Host 192.168.0.4 Java (SUCCESS)
Internal Address 192.168.0.4 Java (SUCCESS)
DNS Server (Java) unknown Java (FAIL)
DNS Server (HTTP) unknown Browser (FAIL)
External NAT (Java) x.x.x.x Java (SUCCESS)
External NAT (Flash) unknown Flash (FAIL)
icmp30 wrote:
> How's it do against the decloak tests at metasploit?
> http://metasploit.com/research/misc/decloak/
>
>
> --- Arrakis <arrakistor@xxxxxxxxx> wrote:
>
>> It appears that Java attacks for causing external IP data to be leaked
>> can be mitigated to some good degree. The upshot is that you can now run
>> Java applets that even when attempting to phone home directly (revealing
>> your IP), they are routed through the socks port and thus Tor or any
>> other socks speaking application. What we are doing is changing the
>> proxy settings of the Java Control Panel in windows. The following will
>> shortly be applied to xB Browser after testing, and I highly suggest it
>> for other proxy programs. Needs lots of testing of course, and I would
>> also like to know if Java applets can acquire the authority to modify
>> that file as well. May require administrative access, but I imagine
>> Vista will popup a priv escalation window. There are probably variations
>> in the directories and syntax if you are running JRE <1.4. A good
>> indicator of old versioning is to see if your shoes employ the use of
>> velcro, you have a pair of 'jams' in your closet, or you've found
>> yourself to be too legitimate to quit.
>>
>> Regards,
>> Steve Topletz
>>
>>
>> -------------
>>
>>
>> 1. Look for $APPDATA\Sun\Java\Deployment\deployment.properties
>> If there is no deployment.properties file there, try all administrative
>> usernames we can enumerate until we find the file. This is not a certianty.
>>
>> 2. Back up deployment.properties to a new file name.
>> 3. Open it up
>> 4. Read and store all lines beginning with "deployment.version"
>> 5. Read and store all lines beginning with "deployment.javapi"
>> 6. Close the file
>> 7. Create a new file deployment.properties where the old one was.
>> 8. Open the file
>> 9. Insert the following lines
>>
>> #deployment.properties
>> deployment.system.tray.icon=false
>> deployment.browser.vm.iexplorer=false
>> deployment.proxy.socks.host=localhost
>> deployment.proxy.type=1
>> deployment.proxy.same=true
>> deployment.browser.vm.mozilla=false
>> deployment.capture.mime.types=true
>> deployment.proxy.socks.port=8080
>>
>> (where port 8080 is your socks port. in Tor, use 9050 by default)
>>
>> 10. Write all previously stored lines from old opened file.
>> 11. Close the new deployment.properties
>>
>> Continue starting your proxy program
>> On program exit...
>>
>> 12. Delete the deployment.properties file we created.
>> 13. Restore the deployment.properties file we backed up.
>>
>
>
>
> ____________________________________________________________________________________
> Be a better pen pal.
> Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/
>