Java DSN Rebinding + Java Same IP Policy = The Internet Mayhem


This is a short blog post about what could have happened if a malicious user had exploited the issues I found.

If someone has read the post about Java DNS Rebinding and Java applet same IP Host Access probably has come to the same conclusion of what I am going to describe in the next few lines which can be summarized like this:
Java applet implementation could really break the web.

Consider the following points:

Suppose now that evil.tld server hosts a page which forces a DNS Rebinding to IP. Then if a user visits that page, Java VM applet sandbox will think that and evil.tld share the same IP.
According to Java Same IP Origin Policy it will be possible from then to read pages.

Extend the attack to any possible host. And you'll see the extent of the issue.

Now, someone could say DNS Rebinding is difficult to implement.Yes, Could be.
Then, think about Xss and the possibility to use java.* and Packages.* objects from javascript on any browser.
Considering that Xss are still one of the most widespread vulnerabilities on the web (50% of world sites?), you'll got another picture.

Finally, a malicious page could use classical History steal or other logged in detection techniques to understand if the victim is logged to some site and you got the bigger attack flow.

This attack could have created a big internet (client side) mayhem.

This is fortunately no more feasible because I made responsible disclosure to Oracle and waited for 6 long months before disclosing all the 7 issues.

Now that Java update is out everybody is suggested to install it.
Oh, and if you don't really need Java I suggest you to uninstall it definitely...and that is the saddest thing.