-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===Java HTTP proxy vulnerability===
Reference wal-01
Version 1.0
Date March 05, 2002
===Cross references
Sun Security Bulletin #00216
Microsoft Security Bulletin MS02-013
Vulnerability identifier CAN-2002-0058 (under review)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0058
===Classifications
Java, networking, HTTP
Web browsers, applets
Unchecked network access, HTTP proxy connection hijacking
===Abstract problem description
=Background
The Java security model is designed to allow code from an untrusted
source, usually web applets, to be safely executed.
=Problem
An applet could do irregular, unchecked HTTP requests.
=Consequence
Network access restrictions that apply, can be bypassed.
Only systems that have a HTTP proxy configured can be vulnerable.
One particular nasty exploit is where a remote server, aided by a
hostile applet, hijacks a browsers persistent HTTP connection to its
configured HTTP proxy.
===Affected software & patch availability; vendor bulletins
=Sun
Bulletin Number: #00216
Date: March 4, 2002
Title: HttpURLConnection
http://sunsolve.Sun.COM/pub-cgi/secBulletin.pl
(At the time of this writing bulletin 216 was not available on
the website yet.)
=Microsoft
Microsoft Security Bulletin MS02-013
Java Applet Can Redirect Browser Traffic
Originally posted: March 04, 2002
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/bulletin/MS02-013.asp
(URL is wrapped, please fix.)
=Netscape
Sun JVM (Java Virtual Machine) Issue
http://home.netscape.com/security/
===Vendor contact
Shortly after I, more or less by coincidence, discovered the issue, I
reported it to Sun on April 07, 2001. They communicated it to their
Java licensees, and coordinated a synchronized response.
=Free Java implementations
I audited both Kaffe and GNU Classpath class libraries, and to the
best of my knowledge, they are not vulnerable to this issue. Anyone
out there developing a free(TM) Java, please contact me if you have
questions or concerns, and I will be happy to assist you in any way I
can.
===Disclosure policy
I do not plan to release details of the vulnerability, that could make
it easier for crackers to get exploits, before a three month grace
period has expired. Customers should not to assume that the lack of
vulnerability details at this time will prevent the creation of
exploit programs.
===Detailed problem description
No details are provided at this time.
See Disclosure policy.
===PoC-exploit
I supplied Sun with a PoC-exploit, and they passed it on to other
vendors. No further distribution is expected.
===Software I tested/audited myself.
Sun/Blackdown 1.1.7/8, 1.2.2, 1.3.0/1 linux/win32
Netscape 4.61 default Java Runtime linux
MSIE 5.0 default Java Runtime win32
HotJava Browser 3.0
Kaffe 1.06
GNU Classpath 0.03
===Acknowledgment
Thanks to the vendors for addressing the issue. Special thanks to
Sun, in particular Chok Poh, for coordinating.
===Disclaimer & Copying
This comes with ABSOLUTELY NO WARRANTY!
Copying in whole and quoting parts permitted.
===History
Version 1.0 is the first release of this document.
Updates http://www.xs4all.nl/~harmwal/issue/wal-01.txt
===Contact
Author Harmen van der Wal
Mail [email protected]
PGP http://www.xs4all.nl/~harmwal/harmen.pgp.txt
===End===
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8hBnWqX9LFhm8cvYRAsXwAJ4jr1pm6lTqarPmbZNhuc4gGAwNSACeMIg9
nEyfEY6Us0AxLR0FoKFM/Q0=
=a9rw
-----END PGP SIGNATURE-----
–
Harmen van der Wal - http://www.xs4all.nl/~harmwal/