Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:522
HistoryAug 08, 2000 - 12:00 a.m.

Internet Security Systems Security Alert: Brown Orifice, BOHTTPD, a Platform Independent Java Vulnerability in Netscape

2000-08-0800:00:00
vulners.com
11
JSON

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Alert
August 7, 2000

Brown Orifice, BOHTTPD, a Platform Independent Java Vulnerability in
Netscape

Synopsis:

On August 5th, code was made public by Dan Brumleve, which demonstrates a
serious security hole in the Netscape Java distribution. This vulnerability
allows a hostile web site to start a server process on the browser system.
That server can access arbitrary files on the browser system and locally
connected networks through "file:" URLs. All versions of Netscape Navigator
and Netscape Communicator versions 4.74 and earlier are vulnerable when Java
is enabled. Mozilla from mozilla.org is not currently vulnerable. Preview 1
of Mozilla from Netscape (Netscape 6 Preview 1) is expired and cannot be
tested.
Microsoft Internet Explorer is not vulnerable at this time.

Impact:

A hostile web server can start a server process on the browser system with
no warning to the browsing user. This process can access any file on the
local (browser) machine or the locally connected network through normal file
sharing, if it is accessible by the browsing user. Additional code and
external URLs can also be distributed by the running server, resulting in
self-propagation and feedback to the hostile site.

Affected Versions:

Netscape Communicator 4.74 and earlier with Java and downloadable plugins
enabled. Netscape Navigator 4.74 and earlier with Java and downloadable
plugins enabled.

Affected Platforms:

All platforms on which Java and Netscape are available are vulnerable. This
is a platform independent exploit. Systems running Windows 2000, Windows NT
and Linux are known to be vulnerable through demonstration.

Unaffected Platforms:

Microsoft Internet Explorer is not currently affected.
Mozilla is not currently affected.
Browsers with Java disabled are not affected.

Description:

Upon execution from a hostile web page, a hostile Java applet downloads a
set of socket classes permitting it to create a web server within the
Browser Java runtime environment. Through the use of the socket class, the
exploit code listens on a configurable port number (the default port is
8080, the httpd proxy port). Through the use of "file:" URLs, this hostile
server code is capable of accessing any local files, including any network
files that can be reached, through file sharing, from the local file system.

The origination site contains clear warnings that this code is a security
vulnerability, but nothing in the nature of this exploit requires a warning
to the user from the browser. Like any other Java applet, this can run with
no execution warning.

The origination page also does not fully describe the sample exploit
server's behavior. In addition to starting up a web server, the pages
delivered by the web server contain image references back to the originating
host. Any browsers that connect to a compromised system reveal themselves to
the origination site. This introduces the possibility for further
propagation of similar exploits, through redirection or references to the
hostile code from the hostile server itself. Self-propagating versions of
this exploit have not been observed at this time.

The origination site contains a "BOHTTPD_spy" page containing a list of
sites known to have executed the code. This list is being actively exploited
by other sites around the world, which are attempting to browse or break
into the compromised sites. Some of these attempts appear to be automated,
while many appear to be simple manual browsing. These sites may be unaware
that their own efforts to browse the compromised sites are being revealed to
the origination site, along with the IP address and port that they are
browsing.

Fix Information:

No fix is available from Netscape as of this writing.

Recommendations:

Until a fix becomes available, Java should be disabled in the browser.
Disabling the "downloader plugin" can also prohibit the downloading of the
required socket classes that this exploit requires for operation.

Additional Information:

Code available from http://www.brumleve.com/BrownOrifice includes Java
source code for the sample exploit that could be readily modified for more
malicious use.

Information about this exploit appeared on several popular web sites
including SlashDot, days before appearing on BugTraq. It can be assumed that
knowledge of the exploit, its source code, and variations are widespread.

While Mozilla, at this time, does not appear to be vulnerable, this appears
to be due to an error attempting to locate the "downloader plugin". This
situation could change with release or configuration.

No other browsers are known to be vulnerable at this time.

A RealSecure signature for the following data will detect someone
downloading the BOHTTPD.class:

Context: URL_Data
String: .*BOHTTPD\.class

If this class is renamed, this signature will no longer be effective.

About Internet Security Systems (ISS)

Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite security software, remote managed security services, and strategic
consulting and education offerings, ISS is a trusted security provider to
its customers, protecting digital assets and ensuring safe and uninterrupted
e-business. ISS' security management solutions protect more than 5,500
customers worldwide including 21 of the 25 largest U.S. commercial banks, 10
of the largest telecommunications companies and over 35 government agencies.
Founded in 1994, ISS is headquartered in Atlanta, GA, with additional
offices throughout North America and international operations in Asia,
Australia, Europe, Latin America and the Middle East. For more information,
visit the Internet Security Systems web site at www.iss.net or call
888-901-7477.

Copyright (c) 2000 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in
any other medium excluding electronic medium, please e-mail [email protected]
<mailto:[email protected]> for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

X-Force PGP Key available at: <http://xforce.iss.net/sensitive.php&gt; as well
as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force [email protected]
<mailto:[email protected]> of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOY8vEDRfJiV99eG9AQF5kwQAqqeKbwF9Qu2ZPySj4LJZb9acoTEt/Tj5
FDUuk3TT/ykrSq9TK1BAtfJtc0r/Su6slCGuo3pQ+s5u5drdX44oMHxnYSz9OVzm
8d0nD7VgW8DkZQW2rfNDNZ1t+mZm//SqKjunhfB0YiCpiTU9DxrDTcba6W+qkmRZ
8XlYonLmZgw=
=xGJG
-----END PGP SIGNATURE-----

JSON