[16288] in bugtraq
JDK 1.1.x Listening Socket Vulnerability (was Re: BrownOrifice
daemon@ATHENA.MIT.EDU (TAKAGI, Hiromitsu)
Fri Aug 18 02:16:35 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <3999922128E.EE84TAKAGI@java-house.etl.go.jp>
Date: Wed, 16 Aug 2000 03:55:29 +0900
Reply-To: "TAKAGI, Hiromitsu" <takagi@ETL.GO.JP>
From: "TAKAGI, Hiromitsu" <takagi@ETL.GO.JP>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <39946319340.6D7ETAKAGI@java-house.etl.go.jp>
On Sat, 12 Aug 2000 05:33:29 +0900
"TAKAGI, Hiromitsu" <takagi@ETL.GO.JP> wrote:
> This can be verified by trying the following refined proof of concept
> Applet.
> http://java-house.etl.go.jp/~takagi/java/test/Brumleve-BrownOrifice-modified-netscape.net.URLConnection/Test.html
> I have confirmed that Mac OS version is also affected.
And another one for the other vulnerability(*1) disclosed by Brown Orifice
is here.
http://java-house.etl.go.jp/~takagi/java/test/Brumleve-BrownOrifice-modified-java.net.ServerSocket/Test.html
(This does not work behind firewalls or with Proxy servers.)
(*1: see http://www.securityfocus.com/bid/1545)
How it works:
1. The applet opens ServerSocket with a randomly selected port.
2. The applet calls accept() method to wait for an incoming connection.
3. The applet invokes a CGI on the codebase host.
4. The CGI gets the IP address of the browser host.
5. The CGI requests a third party host, which is a Proxy server of our
site, to make a connection to the browser's port.
6. The third party host makes a connection to the browser's port.
7. The applet accepts the connection and obtains a Socket object.
8. The applet obtains an InputStream object from the Socket object.
The source code is here.
http://java-house.etl.go.jp/~takagi/java/test/Brumleve-BrownOrifice-modified-java.net.ServerSocket/Test.java
Results are as follows:
Vulnerable
Netscape Navigator + built-in Java VM
Netscape Navigator + Java Plug-in 1.1.x
Internet Explorer + Java Plug-in 1.1.x
AppletViewer/HotJava + JDK 1.1.x
Internet Explorer for Mac OS + MRJ 2.x.x (Mac OS Runtime for Java)
Not vulnerable
Internet Explorer for Windows + built-in Microsoft VM
Internet Explorer for Mac OS + Microsoft VM
Netscape Navigator + Java Plug-in 1.2.x/1.3
Internet Explorer + Java Plug-in 1.2.x/1.3
AppletViewer/HotJava + JDK 1.2.x/1.3
JDK 1.0.x
Regards,
--
Hiromitsu Takagi
Electrotechnical Laboratory
http://www.etl.go.jp/~takagi/
