My machine got really slowed down all of a sudden I suspected Netbeans and did a `ps -ef | grep java` to find it’s pid and kill it. The output from ps floored me:
raditha 11263 1 1 Dec10 ? 01:00:02 /usr/java/1.6/bin/java -Djdk.home=/usr/java/1.6 -classpath /usr/local/netbeans-6.8beta/platform11/lib/boot.jar:/usr/local/netbeans-6.8beta/platform11/lib/org-openide-modules.jar:/usr/local/netbeans-6.8beta/platform11/lib/org-openide-util.jar:/usr/local/netbeans-6.8beta/platform11/lib/locale/boot_ja.jar:/usr/local/netbeans-6.8beta/platform11/lib/locale/boot_pt_BR.jar:/usr/local/netbeans-6.8beta/platform11/lib/locale/boot_zh_CN.jar:/usr/local/netbeans-6.8beta/platform11/lib/locale/org-openide-modules_ja.jar:/usr/local/netbeans-6.8beta/platform11/lib/locale/org-openide-modules_pt_BR.jar:/usr/local/netbeans-6.8beta/platform11/lib/locale/org-openide-modules_zh_CN.jar:/usr/local/netbeans-6.8beta/platform11/lib/locale/org-openide-util_ja.jar:/usr/local/netbeans-6.8beta/platform11/lib/locale/org-openide-util_pt_BR.jar:/usr/local/netbeans-6.8beta/platform11/lib/locale/org-openide-util_zh_CN.jar:/usr/java/1.6/lib/dt.jar:/usr/java/1.6/lib/tools.jar -Dnetbeans.system_http_proxy=DIRECT -Dnetbeans.system_http_non_proxy_hosts= -Dnetbeans.dirs=/usr/local/netbeans-6.8beta/nb6.8:/usr/local/netbeans-6.8beta/bin/../ergonomics2:/usr/local/netbeans-6.8beta/ide12:/usr/local/netbeans-6.8beta/bin/../java3:/usr/local/netbeans-6.8beta/bin/../xml2:/usr/local/netbeans-6.8beta/bin/../apisupport1:/usr/local/netbeans-6.8beta/bin/../webcommon1:/usr/local/netbeans-6.8beta/websvccommon1:/usr/local/netbeans-6.8beta/bin/../enterprise6:/usr/local/netbeans-6.8beta/bin/../mobility8:/usr/local/netbeans-6.8beta/bin/../profiler3:/usr/local/netbeans-6.8beta/bin/../ruby2:/usr/local/netbeans-6.8beta/bin/../python1:/usr/local/netbeans-6.8beta/php1:/usr/local/netbeans-6.8beta/bin/../visualweb2:/usr/local/netbeans-6.8beta/bin/../soa2:/usr/local/netbeans-6.8beta/bin/../identity2:/usr/local/netbeans-6.8beta/bin/../uml6:/usr/local/netbeans-6.8beta/bin/../harness:/usr/local/netbeans-6.8beta/bin/../cnd3:/usr/local/netbeans-6.8beta/bin/../dlight2:/usr/local/netbeans-6.8beta/bin/../groovy2:/usr/local/netbeans-6.8beta/bin/../extra:/usr/local/netbeans-6.8beta/bin/../javafx2:/usr/local/netbeans-6.8beta/bin/../javacard1: -Dnetbeans.home=/usr/local/netbeans-6.8beta/platform11 -Dnetbeans.importclass=org.netbeans.upgrade.AutoUpgrade -Dnetbeans.accept_license_class=org.netbeans.license.AcceptLicense -Xmx512m -Dorg.glassfish.v3ee6.installRoot=/usr/local/glassfish-v3-prelude -Dcom.sun.aas.installRoot=/usr/local/glassfish-v2.1 -client -Xverify:none -Xss2m -Xms32m -XX:PermSize=32m -XX:MaxPermSize=200m -Dnetbeans.logger.console=true -ea -Dapple.laf.useScreenMenuBar=true -Dsun.java2d.noddraw=true -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/home/raditha/.netbeans/6.8beta/var/log/heapdump.hprof org.netbeans.Main –userdir /home/raditha/.netbeans/6.8beta –branding nb
raditha 11992 11899 0 Dec10 ? 00:13:52 /usr/bin/gtk-gnash -x 81788981 -j 250 -k 250 -u http://pagead2.googlesyndication.com/pagead/imgad?id=CM-h38ij_5DanwEQ-gEY-gEyCDEGjWlZTOVn -F 14 -U http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1352004480420876&output=html&h=250&slotname=3285550185&w=250&lmt=1258513226&flash=9.0.999.%20Gnash%200.8.5%2C%20the%20GNU%20SWF%20Player.%20%20%20Copyright%20%26copy%3B%202006%2C%202007%2C%202008%20%3Ca%20href%3D%22http%3A%2F%2Fwww.fsf.org%22%3EFree%20Software%20%20%20Foundation%3C%2Fa%3E%2C%20Inc.%20%3Cbr%3E%20%20%20Gnash%20comes%20with%20NO%20WARRANTY%2C%20to%20the%20extent%20permitted%20by%20law.%20%20%20You%20may%20redistribute%20copies%20of%20Gnash%20under%20the%20terms%20of%20the%20%20%20%3Ca%20href%3D%22http%3A%2F%2Fwww.gnu.org%2Flicenses%2Fgpl.html%22%3EGNU%20General%20Public%20%20%20License%3C%2Fa%3E.%20For%20more%20information%20about%20Gnash%2C%20see%20%3Ca%20%20%20href%3D%22http%3A%2F%2Fwww.gnu.org%2Fsoftware%2Fgnash%2F%22%3E%20%20%20http%3A%2F%2Fwww.gnu.org%2Fsoftware%2Fgnash%3C%2Fa%3E.%20%20%20Compatible%20Shockwave%20Flash%209.0%20r999.&url=http%3A%2F%2Fwww.bitrebels.com%2Fgeek%2Flost-inside-google-wave-5-waves-to-make-your-life-easier%2F&dt=1258513238576&correlator=1258513238578&frm=0&ga_vid=1321434809.1258513230&ga_sid=1258513230&ga_hid=1759684983&ga_fc=1&u_tz=300&u_his=1&u_java=1&u_h=900&u_w=1600&u_ah=875&u_aw=1600&u_cd=24&u_nplug=13&u_nmime=351&biw=1577&bih=660&ref=http%3A%2F%2Ftwitter.com%2F&fu=0&ifi=1&dtd=223&xpc=bzbonGxyqd&p=http%3A//www.bitrebels.com -P allowscriptaccess=never -P flashvars=clickTAG=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB2KrK6uggS7eLJYq5jQfFwJTwDteKyowBsZ7IzgrAjbcBkE4QARgBIJD0zAo4AFDj0NFTYJEBoAHl-dr5A7IBEXd3dy5iaXRyZWJlbHMuY29tugEKMjUweDI1MF9hc8gBBNoBV2h0dHA6Ly93d3cuYml0cmViZWxzLmNvbS9nZWVrL2xvc3QtaW5zaWRlLWdvb2dsZS13YXZlLTUtd2F2ZXMtdG8tbWFrZS15b3VyLWxpZmUtZWFzaWVyL7gCGKgDAfUDAAAAhA%26num%3D1%26sig%3DAGiWqtyRVOXsNj9Q7HH3OPiRTjJRuSTKVg%26client%3Dca-pub-1352004480420876%26adurl%3Dhttp://uc.gamestotal.com/o_in_strategy.cfm%253Fref%253Dadworda_strategy_flash250uc2 -P height=250 -P id=google_flash_embed -P pluginspage=http://www.macromedia.com/go/getflashplayer -P src=http://pagead2.googlesyndication.com/pagead/imgad?id=CM-h38ij_5DanwEQ-gEY-gEyCDEGjWlZTOVn -P type=application/x-shockwave-flash -P width=250 -P wmode=opaque -
raditha 11992 11899 0 Dec10 ? 00:13:52 /usr/bin/gtk-gnash -x 81788981 -j 250 -k 250 -u http://pagead2.googlesyndication.com/pagead/imgad?id=CM-h38ij_5DanwEQ-gEY-gEyCDEGjWlZTOVn -F 14 -U http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1352004480420876&output=html&h=250&slotname=3285550185&w=250&lmt=1258513226&flash=9.0.999.%20Gnash%200.8.5%2C%20the%20GNU%20SWF%20Player.%20%20%20Copyright%20%26copy%3B%202006%2C%202007%2C%202008%20%3Ca%20href%3D%22http%3A%2F%2Fwww.fsf.org%22%3EFree%20Software%20%20%20Foundation%3C%2Fa%3E%2C%20Inc.%20%3Cbr%3E%20%20%20Gnash%20comes%20with%20NO%20WARRANTY%2C%20to%20the%20extent%20permitted%20by%20law.%20%20%20You%20may%20redistribute%20copies%20of%20Gnash%20under%20the%20terms%20of%20the%20%20%20%3Ca%20href%3D%22http%3A%2F%2Fwww.gnu.org%2Flicenses%2Fgpl.html%22%3EGNU%20General%20Public%20%20%20License%3C%2Fa%3E.%20For%20more%20information%20about%20Gnash%2C%20see%20%3Ca%20%20%20href%3D%22http%3A%2F%2Fwww.gnu.org%2Fsoftware%2Fgnash%2F%22%3E%20%20%20http%3A%2F%2Fwww.gnu.org%2Fsoftware%2Fgnash%3C%2Fa%3E.%20%20%20Compatible%20Shockwave%20Flash%209.0%20r999.&url=http%3A%2F%2Fwww.bitrebels.com%2Fgeek%2Flost-inside-google-wave-5-waves-to-make-your-life-easier%2F&dt=1258513238576&correlator=1258513238578&frm=0&ga_vid=1321434809.1258513230&ga_sid=1258513230&ga_hid=1759684983&ga_fc=1&u_tz=300&u_his=1&u_java=1&u_h=900&u_w=1600&u_ah=875&u_aw=1600&u_cd=24&u_nplug=13&u_nmime=351&biw=1577&bih=660&ref=http%3A%2F%2Ftwitter.com%2F&fu=0&ifi=1&dtd=223&xpc=bzbonGxyqd&p=http%3A//www.bitrebels.com -P allowscriptaccess=never -P flashvars=clickTAG=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB2KrK6uggS7eLJYq5jQfFwJTwDteKyowBsZ7IzgrAjbcBkE4QARgBIJD0zAo4AFDj0NFTYJEBoAHl-dr5A7IBEXd3dy5iaXRyZWJlbHMuY29tugEKMjUweDI1MF9hc8gBBNoBV2h0dHA6Ly93d3cuYml0cmViZWxzLmNvbS9nZWVrL2xvc3QtaW5zaWRlLWdvb2dsZS13YXZlLTUtd2F2ZXMtdG8tbWFrZS15b3VyLWxpZmUtZWFzaWVyL7gCGKgDAfUDAAAAhA%26num%3D1%26sig%3DAGiWqtyRVOXsNj9Q7HH3OPiRTjJRuSTKVg%26client%3Dca-pub-1352004480420876%26adurl%3Dhttp://uc.gamestotal.com/o_in_strategy.cfm%253Fref%253Dadworda_strategy_flash250uc2 -P height=250 -P id=google_flash_embed -P pluginspage=http://www.macromedia.com/go/getflashplayer -P src=http://pagead2.googlesyndication.com/pagead/imgad?id=CM-h38ij_5DanwEQ-gEY-gEyCDEGjWlZTOVn -P type=application/x-shockwave-flash -P width=250 -P wmode=opaque -
You think I have a large list of java apps running? look closely, it’s just two! One is Netbeans. Netbeans is a Sun project, so you have to expect it to behave weirdly but look at the second one. It’s Gnash; the open source replacement for the Adobe Flash player. That line is just massive. Looks like Gnash is adding all the HTTP variables into the environment. No hang on a second, Firefox is sending all the HTTP variables to Gnash through the command line. What the hell? is this how browser plugins are supposed to work? Surely this is not secure?
If you URL decode the out put of ps it’s double WTF.
raditha 11992 11899 0 Dec10 ? 00:13:52 /usr/bin/gtk-gnash -x 81788981 -j 250 -k 250 -u http://pagead2.googlesyndication.com/pagead/imgad?id=CM-h38ij_5DanwEQ-gEY-gEyCDEGjWlZTOVn -F 14 -U http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1352004480420876&output=html&h=250&slotname=3285550185&w=250&lmt=1258513226&flash=9.0.999. Gnash 0.8.5, the GNU SWF Player. Copyright © 2006, 2007, 2008 Free Software Foundation, Inc.
Gnash comes with NO WARRANTY, to the extent permitted by law. You may redistribute copies of Gnash under the terms of the GNU General Public License. For more information about Gnash, see http://www.gnu.org/software/gnash. Compatible Shockwave Flash 9.0 r999.&url=http://www.bitrebels.com/geek/lost-inside-google-wave-5-waves-to-make-your-life-easier/&dt=1258513238576&correlator=1258513238578&frm=0&ga_vid=1321434809.1258513230&ga_sid=1258513230&ga_hid=1759684983&ga_fc=1&u_tz=300&u_his=1&u_java=1&u_h=900&u_w=1600&u_ah=875&u_aw=1600&u_cd=24&u_nplug=13&u_nmime=351&biw=1577&bih=660&ref=http://twitter.com/&fu=0&ifi=1&dtd=223&xpc=bzbonGxyqd&p=http://www.bitrebels.com -P allowscriptaccess=never -P flashvars=clickTAG=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B2KrK6uggS7eLJYq5jQfFwJTwDteKyowBsZ7IzgrAjbcBkE4QARgBIJD0zAo4AFDj0NFTYJEBoAHl-dr5A7IBEXd3dy5iaXRyZWJlbHMuY29tugEKMjUweDI1MF9hc8gBBNoBV2h0dHA6Ly93d3cuYml0cmViZWxzLmNvbS9nZWVrL2xvc3QtaW5zaWRlLWdvb2dsZS13YXZlLTUtd2F2ZXMtdG8tbWFrZS15b3VyLWxpZmUtZWFzaWVyL7gCGKgDAfUDAAAAhA&num=1&sig=AGiWqtyRVOXsNj9Q7HH3OPiRTjJRuSTKVg&client=ca-pub-1352004480420876&adurl=http://uc.gamestotal.com/o_in_strategy.cfm%3Fref%3Dadworda_strategy_flash250uc2 -P height=250 -P id=google_flash_embed -P pluginspage=http://www.macromedia.com/go/getflashplayer -P src=http://pagead2.googlesyndication.com/pagead/imgad?id=CM-h38ij_5DanwEQ-gEY-gEyCDEGjWlZTOVn -P type=application/x-shockwave-flash -P width=250 -P wmode=opaque -
Gnash comes with NO WARRANTY, to the extent permitted by law. You may redistribute copies of Gnash under the terms of the GNU General Public License. For more information about Gnash, see http://www.gnu.org/software/gnash. Compatible Shockwave Flash 9.0 r999.&url=http://www.bitrebels.com/geek/lost-inside-google-wave-5-waves-to-make-your-life-easier/&dt=1258513238576&correlator=1258513238578&frm=0&ga_vid=1321434809.1258513230&ga_sid=1258513230&ga_hid=1759684983&ga_fc=1&u_tz=300&u_his=1&u_java=1&u_h=900&u_w=1600&u_ah=875&u_aw=1600&u_cd=24&u_nplug=13&u_nmime=351&biw=1577&bih=660&ref=http://twitter.com/&fu=0&ifi=1&dtd=223&xpc=bzbonGxyqd&p=http://www.bitrebels.com -P allowscriptaccess=never -P flashvars=clickTAG=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B2KrK6uggS7eLJYq5jQfFwJTwDteKyowBsZ7IzgrAjbcBkE4QARgBIJD0zAo4AFDj0NFTYJEBoAHl-dr5A7IBEXd3dy5iaXRyZWJlbHMuY29tugEKMjUweDI1MF9hc8gBBNoBV2h0dHA6Ly93d3cuYml0cmViZWxzLmNvbS9nZWVrL2xvc3QtaW5zaWRlLWdvb2dsZS13YXZlLTUtd2F2ZXMtdG8tbWFrZS15b3VyLWxpZmUtZWFzaWVyL7gCGKgDAfUDAAAAhA&num=1&sig=AGiWqtyRVOXsNj9Q7HH3OPiRTjJRuSTKVg&client=ca-pub-1352004480420876&adurl=http://uc.gamestotal.com/o_in_strategy.cfm%3Fref%3Dadworda_strategy_flash250uc2 -P height=250 -P id=google_flash_embed -P pluginspage=http://www.macromedia.com/go/getflashplayer -P src=http://pagead2.googlesyndication.com/pagead/imgad?id=CM-h38ij_5DanwEQ-gEY-gEyCDEGjWlZTOVn -P type=application/x-shockwave-flash -P width=250 -P wmode=opaque -
Even a copyright notice is passed as a parameter!
The Gnash plugin passes no more and no less than the variables that the embedding script requests. The Adobe plugin does exactly the same, only you don’t see it.
The copyright message comes from the fact that Gnash’s plugin description contains it. The embed script is copying the plugin description available in Javascript and passing it to the player. Why the webpage author wants to do this is anyone’s guess…
Passing all this via the command line isn’t ideal for other reasons, but it is no more or less secure than passing those variables directly to the player. Why do you think it should be a problem?
Concern is someone being able to pass the ‘;’ character by an exploit What follows thereafter will execute as a separate command