[2031] in WWW Security List Archive
Re: Java Hole: Web Graffiti & Covert Channels
daemon@ATHENA.MIT.EDU (Gene Ingram)
Thu May 9 17:07:58 1996
Date: Thu, 09 May 1996 11:37:08 -0700
From: Gene Ingram <gene@hpfsvr01.cup.hp.com>
Reply-To: www-security@ns2.rutgers.edu
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Chad Owen Yoshikawa wrote:
>
> --------------------------------------------------------
> Web Graffiti & High Bandwidth Covert Channels Using Java
> --------------------------------------------------------
>
> While developing a chat server using Java as a frontend, we've
> been exploiting what we think is a new Java security hole in
> Java-enabled browsers such as Netscape. The hole allows for
> opening sockets to arbitrary ports on web servers that serve
> Trojan-horse applets.
>
> We've also used a known security hole (covert channels) first mentioned
> in work by the SIP group at Princeton to create what we call
> 'Web Graffiti' - the dynamic insertion of text, graphics, applets, into
> HTML pages.
>
> Both of these attacks are three-party attacks and require Trojan-
> horse applets. For a draft of a paper that is work in progress,
> point your browser to:
>
> http://whenever.CS.Berkeley.EDU/graffiti/
>
> Chad Yoshikawa Brent Chun
> chad@cs.berkeley.edu bnc@cs.berkeley.edu
I investigated your site, and was amazed to see the extent of this
problem. For example, the idea that a user hitting any site on the
web after activating the trojan horse applet, will see whatever it
is the trojan horse wants them to see by REDIRECTING the URL
locations to the hacker server? This is very serious if true. (The
firewall doesn't allow in applets, so I couldn't test your examples.)
Also notice you mention this is present in Atlas, did you mean preview
release 2 (the latest one)? Congrats on finding this bug.
Gene
--
``Imagine if every Thursday your shoes exploded if you tied them
the usual way. This happens to us all the time with computers,
and nobody thinks of complaining.'' -Jeff Raskin
______ gene@cup.hp.com
/\__ _\ ingram@pubs.holosys.com
\/_/\ \/ ___ __ _ __ __ ___ ___
\ \ \ /' _ `\ /'_ `\/\`'__\/'__`\ /' __` __`\
\_\ \__/\ \/\ \/\ \L\ \ \ \//\ \L\.\_/\ \/\ \/\ \
/\_____\ \_\ \_\ \____ \ \_\\ \__/.\_\ \_\ \_\ \_\
\/_____/\/_/\/_/\/___L\ \/_/ \/__/\/_/\/_/\/_/\/_/
/\____/
________________________\_/__/____________________________________
PGP UserID: "Gene Ingram <gene@cup.hp.com>"
Key Size: 1024 bits; Creation date: 21 March 1996; KeyID: 9FEBA191
Key fingerprint: 93 E1 15 E6 35 BC B2 84 B2 7B 39 76 29 72 32 72
--3D signature created courtesy of ``Figlet Ascii Font Converter''
<http://mediacube.datacom.de/cgi-bin/moniteurs/figlet>
