SecurityvulnsSECURITYVULNS:DOC:572JDK 1.1.x Listening Socket Vulnerability (was Re: BrownOrifice can break firewalls!)
On Sat, 12 Aug 2000 05:33:29 +0900
"TAKAGI, Hiromitsu" <[email protected]> wrote:
> This can be verified by trying the following refined proof of concept
> Applet.
> http://java-house.etl.go.jp/~takagi/java/test/Brumleve-BrownOrifice-modified-netscape.net.URLConnection/Test.html
> I have confirmed that Mac OS version is also affected.
And another one for the other vulnerability(*1) disclosed by Brown Orifice
is here.
http://java-house.etl.go.jp/~takagi/java/test/Brumleve-BrownOrifice-modified-java.net.ServerSocket/Test.html
(This does not work behind firewalls or with Proxy servers.)
(*1: see http://www.securityfocus.com/bid/1545)
How it works:
- The applet opens ServerSocket with a randomly selected port.
- The applet calls accept() method to wait for an incoming connection.
- The applet invokes a CGI on the codebase host.
- The CGI gets the IP address of the browser host.
- The CGI requests a third party host, which is a Proxy server of our
site, to make a connection to the browser's port. - The third party host makes a connection to the browser's port.
- The applet accepts the connection and obtains a Socket object.
- The applet obtains an InputStream object from the Socket object.
The source code is here.
Results are as follows:
Vulnerable
Netscape Navigator + built-in Java VM
Netscape Navigator + Java Plug-in 1.1.x
Internet Explorer + Java Plug-in 1.1.x
AppletViewer/HotJava + JDK 1.1.x
Internet Explorer for Mac OS + MRJ 2.x.x (Mac OS Runtime for Java)
Not vulnerable
Internet Explorer for Windows + built-in Microsoft VM
Internet Explorer for Mac OS + Microsoft VM
Netscape Navigator + Java Plug-in 1.2.x/1.3
Internet Explorer + Java Plug-in 1.2.x/1.3
AppletViewer/HotJava + JDK 1.2.x/1.3
JDK 1.0.x
Regards,
Hiromitsu Takagi
Electrotechnical Laboratory
http://www.etl.go.jp/~takagi/