|
On Sat, 12 Aug 2000 05:33:29 +0900
"TAKAGI, Hiromitsu" <takagi@ETL.GO.JP> wrote:
> This can be verified by trying the following refined proof of concept
> Applet.
> http://java-house.etl.go.jp/~takagi/java/test/Brumleve-BrownOrifice-modified-nets
cape.net.URLConnection/Test.html
> I have confirmed that Mac OS version is also affected.
And another one for the other vulnerability(*1) disclosed by Brown Orifice
is here.
http://java-house.etl.go.jp/~takagi/java/test/Brumleve-BrownOrifice-modified-java
.net.ServerSocket/Test.html
(This does not work behind firewalls or with Proxy servers.)
(*1: see http://www.securityfocus.com/bid/1545)
How it works:
1. The applet opens ServerSocket with a randomly selected port.
2. The applet calls accept() method to wait for an incoming connection.
3. The applet invokes a CGI on the codebase host.
4. The CGI gets the IP address of the browser host.
5. The CGI requests a third party host, which is a Proxy server of our
site, to make a connection to the browser's port.
6. The third party host makes a connection to the browser's port.
7. The applet accepts the connection and obtains a Socket object.
8. The applet obtains an InputStream object from the Socket object.
The source code is here.
http://java-house.etl.go.jp/~takagi/java/test/Brumleve-BrownOrifice-modified-java
.net.ServerSocket/Test.java
Results are as follows:
Vulnerable
Netscape Navigator + built-in Java VM
Netscape Navigator + Java Plug-in 1.1.x
Internet Explorer + Java Plug-in 1.1.x
AppletViewer/HotJava + JDK 1.1.x
Internet Explorer for Mac OS + MRJ 2.x.x (Mac OS Runtime for Java)
Not vulnerable
Internet Explorer for Windows + built-in Microsoft VM
Internet Explorer for Mac OS + Microsoft VM
Netscape Navigator + Java Plug-in 1.2.x/1.3
Internet Explorer + Java Plug-in 1.2.x/1.3
AppletViewer/HotJava + JDK 1.2.x/1.3
JDK 1.0.x
Regards,
--
Hiromitsu Takagi
Electrotechnical Laboratory
http://www.etl.go.jp/~takagi/
|
