Java Applet Digital Visa Privilege Escalation

This article describes how to use a digital signature to enhance Java's access permissions. The environment in this article is as follows:

OS: ubuntu9.10 64b

Firefox: 3.5.8 JRE environment: JRE 1.6.0 _ 18 (64b)

The Java code and JSP page Code are as follows:

Java code

1. Public class testapplet extends applet {
2. Private Static final long serialversionuid = 1l;
3. Private void Info (string MSG ){
4. System. Out. println (MSG );
5. }
6. @ Override
7. Public void Init (){
8. Super. INIT ();
9. Readfile ("Linux". Using signorecase (system. getproperty ("OS. Name "))? "/Etc/hostname": "C: \ Boot. ini ");
10. }
11. Private void readfile (final string filepath ){
12. Info ("Read File:" + filepath );
13. String text = accesscontroller. doprivileged (New privilegedaction <string> (){
14. @ Override
15. Public String run (){
16. Stringbuilder buffer = new stringbuilder ();
17. Bufferedreader reader = NULL;
18. Try {
19. Reader = new bufferedreader (New filereader (filepath ));
20. While (reader. Ready () buffer. append (reader. Readline ());
21. } Catch (exception e ){
22. Throw new illegalstateexception (E );
23. } Finally {
24. If (reader! = NULL ){
25. Try {
26. Reader. Close ();
27. } Catch (ioexception e ){
28. E. printstacktrace ();
29. }
30. }
31. }
32. Return buffer. tostring ();
33. }
34. });
35. Info ("read Result:" + text );
36. }
37. }

HTML code

1. <% @ Page Language = "Java" pageencoding = "UTF-8" %>
2. <%
3. String Path = request. getcontextpath ();
4. String basepath = request. getscheme () + ": //" + request. getservername () + ":" + request. getserverport () + path + "/";
5. %>
6. <HTML>
7. <Body>
8. <APPLET id = "hh" alt = "applet" width = "100" Height = "100"
9. Code = "org. skzr. testapplet"
10. Archive = "skzr-applet-sign.jar"
11. Codebase = "<% = basepath %> Demo" mayscript>
12. </APPLET>
13. </Body>
14. </Html>

 

Because the Windows 32-bit environment is generally used, the only 32-bit JDK: jdk1.6.0 _ 14-32 under linux64 is used for export.

Export the above class as a package: skzr-applet.jar

Signature: (use the same 32-bit JDK: jdk1.6.0 _ 14-32)

1. Create a keystore:

/Prog/Java/jdk1.6.0 _ 14-32/bin/keytool-genkey-keystore skzr-applet.keystore-alias skzr-Applet

2 signature:

/Prog/Java/jdk1.6.0 _ 14-32/bin/jarsigner-keystore skzr-applet.keystore skzr-applet.jar skzr-Applet

Put the demo in Tomcat's webapps and open http: // localhost: 8080/demo/index. jsp to test

 

Use unsigned packages in index. jsp: The skzr-applet.jar can find exceptions in the console:

Java. Lang. illegalstateexception: Java. Security. accesscontrolexception: Access Denied (Java. Io. filepermission
/Etc/hostnameRead), because I am using Linux, so read this file

Use signed packages in index. jsp: The skzr-applet-sign.jar in the console can find that the file is correctly read: Below is the console output:

HTML code

1. Read File:/etc/hostname
2. Read result: skzr
3. Basic: applet initialized

Now the permission has been upgraded ^

:

Google Chrome for Linux

Firefox 3.5.8

Windows has the same effect.

 

Demo demo.zip

Where the skzr-applet.jar unsigned skzr-applet-sign.jar is the signed package

Summary:

1. The JRE policy file does not need to be modified.
If the signature is true, the client prompts whether to trust the signature when loading and running the JAR file!

The problem is that if you have signed the entire applet jar, you need to re-sign it every time you re-release it. The good way is to convert the permission to a jar, generally, this jar will not be changed frequently. You can sign this jar. Other jar files (such as UI) do not need to be signed again even if they are modified.

2 key points: you must add a jar package to the class for permission escalation and sign the package once.

3. Note that a special method is required to execute the code that requires permissions,
Accesscontroller. doprivileged (...) If you trust this signature, you can execute this code

• Demo.zip (248.8 KB)
• Downloads: 332

• View image attachments