JNLP Parameter Injection Attacks to Remote, Persistent, Multi-OS Code Execution – (BIZARRELOVETRIANGLE, FULLCLIP, MOONAGEDAYDREAM)

The team at CYBIR is proud to finally unveil one of our longer term works, a new #webapplication #exploit series: #bizarrelovetriangle #fullclip #moonagedaydream #transmission


This initial work serves to provide an accessible and now acknowledged exploitation technique based on publicly available software, recognized attacks, and vendor acknowledged 0-day exposures across multiple operating systems and software packages from CISCO, DELL, ORACLE, HP, SUPERMICRO, HONEYWELL, and others.

This paper provides essential PoC for JNLP Injection, an example of passive Code Execution Hijacking of JNLP / Java execution through DNS abuses, a novel method of automatic code execution through fundamental flaws in web design. Several JNLP / XML injection attacks against webservers and applications which do not “natively support” the format or provide unsafe parameter checks will also be outlined.

The primary differentiation between JNLP processors and Web Browsers are the markup languages they are primarily designed to process and interpret:

If client controllable parameters are security vulnerabilities and exposures in HTML / web browsers / web applications, they are equally valid security vulnerabilities in JNLP / XML processors, web applications, and server side attacks.  Pseudo-attacks and exploit code are provided to support this assertion.

Essential PoC is contained in this document and is easily reproduced using supplied code and screenshots. Vendor responses and responsible disclosure measures have been included. #triumph

#bluemonday #0days #ransomware #exploit #cybersecurity #cybir #security #jnlp #bizarrelovetriangle #fullclip #informationsecurity #vulnerability #webapplicationsecurity