Clan x86

Technical (Development, Security, etc.) => General Security Information => Topic started by: chuck on August 08, 2007, 02:31:21 pm

Title: Full screen Java popup
Post by: chuck on August 08, 2007, 02:31:21 pm

http://hackademix.net/2007/08/07/java-evil-popups

Kind of scary, but I can still see my menu bar on a mac, so I know what's real and what's not. Also, a simple cmd+w closes it, so much for not being able to close it!

Title: Re: Full screen Java popup
Post by: Newby on August 08, 2007, 02:48:18 pm

... and if you disable java altogether, there's no problem! :D

Title: Re: Full screen Java popup
Post by: iago on August 08, 2007, 02:52:31 pm

Noscript (http://noscript.net/) for the win. :)

Title: Re: Full screen Java popup
Post by: Hdx on August 08, 2007, 10:12:28 pm

I was able to ahve ti go truly fullscreen only when I
1) Unlocked my tray
2) closed all 'docked' windows (Trillian, wigets, etc..)
So..? Not that impressive.
~Hdx

Title: Re: Full screen Java popup
Post by: iago on August 08, 2007, 10:18:42 pm

A lot of people don't have docked programs, so it is rather impressive. And even if it covers your browser only, if you use this to present the user with a fake browser, you can potentially do a lot of damage.

Title: Re: Full screen Java popup
Post by: Joe on August 15, 2007, 08:40:53 am

In case anyone's wondering, I tried this on my dual monitor set up. When I ran the JavaScript test (I'm on Firefox, so, Gecko-based) the PWND window showed up on my default monitor, but the taskbar still showed. My secondary monitor, which I (luckily?) was browsing on at the time, was unaffected.

Apparently I'm in the safe zone. And congrats to iago on 12,000 posts.

EDIT -

Code: [Select]

function popup() {
  if(typeof(java) == "undefined") {
    window.onload = function() {
      document.getElementById("nojava").innerHTML =
         "Your browser doesn't support LiveConnect or you've got Java disabled!";
    };
    return;
  }
  var w = new java.awt.Window(new java.awt.Frame());
  var label = new java.awt.Label("PWND");
  label.setFont(new java.awt.Font("Serif", java.awt.Font.BOLD, 80));
  label.setAlignment(label.CENTER);
  label.setForeground(java.awt.Color.white);
  w.setBackground(java.awt.Color.black);
  w.setLayout(new java.awt.BorderLayout());
  w.add(label, java.awt.BorderLayout.CENTER);
  w.setLocation(0, 0);
  var d = java.awt.Toolkit.getDefaultToolkit().getScreenSize();
  d.height += 80;
  w.setSize(d);
  w.setVisible(true);
}
And I'm sort of laughing a bit now that I realize this can be exploited in Firefox and not Internet Exploder. Wait, what?!?!

Title: Re: Full screen Java popup
Post by: iago on August 15, 2007, 08:50:41 am

This is reportedly exploitable on all major browsers (IE, FF, Opera).

Title: Re: Full screen Java popup
Post by: Joe on August 16, 2007, 02:57:01 am

Eh, it's much easier in Firefox, since in IE you need to download the whole applet and whatnot. It's still as easy to get sucked in, but Firefox facilitates it being done easier for the programmer.

Title: Re: Full screen Java popup
Post by: Chavo on August 16, 2007, 11:37:56 am

Quote from: iago on August 08, 2007, 02:52:31 pm

Noscript (http://noscript.net/) for the win. :)

Noscript is not worth the huge pain in the ass that it is.  This should be a fairly easy to fix exploit.

Title: Re: Full screen Java popup
Post by: iago on August 16, 2007, 12:43:59 pm

Quote from: unTactical on August 16, 2007, 11:37:56 am

Quote from: iago on August 08, 2007, 02:52:31 pm

Noscript (http://noscript.net/) for the win. :)

Noscript is not worth the huge pain in the ass that it is.  This should be a fairly easy to fix exploit.

I don't consider it a pain at all, I have it installed on all my computers. Most good sides (including the SMF forum) can operate 100% without JavaScript.

Title: Re: Full screen Java popup
Post by: Hitmen on August 16, 2007, 12:51:55 pm

I think the internet isn't worth the huge pain in the ass that it is without noscript :|