Page 1 of 1

jar applet - security

Posted: Sun Apr 28, 2013 2:59 pm
by tsetse
Hello,

My scope was to embed a web-based ssh client in my php site. So, I searched in the Internet and I found a jar that suited in my site.
This jar file (is it allowed to post here which one I found?) is loaded through <applet>.

My question is whether this file is secure or not, in the manner of fact that this ssh client gives you root permissions on systems, lets you type passwords and login remotely on other systems (using passwords again). Probably, this jar file could be harmful enough to collect passwords and send them somewhere else, isnt it?

How can I confirm that this code is secure enough? (i.e. tcp dumping - to catch if that file communicates with somewhere else, antivirus scanning)

Thanks a lot :)

Re: jar applet - security

Posted: Sun Apr 28, 2013 4:31 pm
by requinix
How are the credentials passed? Do you still have to log in or does it automatically go in as root? How does it know the root password? Why is root allowed SSH access in the first place?

Re: jar applet - security

Posted: Sun Apr 28, 2013 7:08 pm
by twinedev
I think the main concern OP has is how to make sure that the applet isn't collecting any keystrokes (which would also possible include logins).

Re: jar applet - security

Posted: Mon Apr 29, 2013 9:42 am
by tsetse
My concern is what twinedev said...

Actually, when the applet is loaded, a shell client appears in my php site and prompts for login and password (for localhost system which is the default) --> this logins me to the localhost as root. Then, I can login remotely to any other system I am allowed to...

The question is whether that code is dangerous enough to collect such passwords.

a) I guess there are two ways, dumping the traffic --> this is not 100% secure since it may send the passwords in a scheduled way
b) resolve the .jar file to its .class files and then .java files and go through them --> is there any Netbean module or other, where I can depackage the .jar file? I am not sure if this can be done

Re: jar applet - security

Posted: Mon Apr 29, 2013 12:42 pm
by requinix
The client could run a shell command that downloads and executes a malicious binary; could be difficult to see that just dumping traffic.

.jar files are packaged .class files but you'd still have to decompile the .class intermediate code to a human-readable version. Which is possible to do. Seeing the source code is the only way you can be sure what the client actually does.