Bugtraq mailing list archives
JDK 1.1.x Listening Socket Vulnerability (was Re: BrownOrifice can break firewalls!)
From: "TAKAGI, Hiromitsu" <takagi () ETL GO JP>
Date: Wed, 16 Aug 2000 03:55:29 +0900
On Sat, 12 Aug 2000 05:33:29 +0900 "TAKAGI, Hiromitsu" <takagi () ETL GO JP> wrote:
This can be verified by trying the following refined proof of concept Applet. http://java-house.etl.go.jp/~takagi/java/test/Brumleve-BrownOrifice-modified-netscape.net.URLConnection/Test.html I have confirmed that Mac OS version is also affected.
And another one for the other vulnerability(*1) disclosed by Brown Orifice is here. http://java-house.etl.go.jp/~takagi/java/test/Brumleve-BrownOrifice-modified-java.net.ServerSocket/Test.html (This does not work behind firewalls or with Proxy servers.) (*1: see http://www.securityfocus.com/bid/1545) How it works: 1. The applet opens ServerSocket with a randomly selected port. 2. The applet calls accept() method to wait for an incoming connection. 3. The applet invokes a CGI on the codebase host. 4. The CGI gets the IP address of the browser host. 5. The CGI requests a third party host, which is a Proxy server of our site, to make a connection to the browser's port. 6. The third party host makes a connection to the browser's port. 7. The applet accepts the connection and obtains a Socket object. 8. The applet obtains an InputStream object from the Socket object. The source code is here. http://java-house.etl.go.jp/~takagi/java/test/Brumleve-BrownOrifice-modified-java.net.ServerSocket/Test.java Results are as follows: Vulnerable Netscape Navigator + built-in Java VM Netscape Navigator + Java Plug-in 1.1.x Internet Explorer + Java Plug-in 1.1.x AppletViewer/HotJava + JDK 1.1.x Internet Explorer for Mac OS + MRJ 2.x.x (Mac OS Runtime for Java) Not vulnerable Internet Explorer for Windows + built-in Microsoft VM Internet Explorer for Mac OS + Microsoft VM Netscape Navigator + Java Plug-in 1.2.x/1.3 Internet Explorer + Java Plug-in 1.2.x/1.3 AppletViewer/HotJava + JDK 1.2.x/1.3 JDK 1.0.x Regards, -- Hiromitsu Takagi Electrotechnical Laboratory http://www.etl.go.jp/~takagi/
Current thread:
- BrownOrifice can break firewalls! Greulich, Andreas (Aug 10)
- Re: BrownOrifice can break firewalls! TAKAGI, Hiromitsu (Aug 14)
- Re: BrownOrifice can break firewalls! Alexey Yarovinsky (Aug 17)
- JDK 1.1.x Listening Socket Vulnerability (was Re: BrownOrifice can break firewalls!) TAKAGI, Hiromitsu (Aug 18)
- Re: BrownOrifice can break firewalls! TAKAGI, Hiromitsu (Aug 25)
- Re: BrownOrifice can break firewalls! NOW MSIE Alexey Yarovinsky (Aug 21)
- Re: BrownOrifice can break firewalls! NOW MSIE TAKAGI, Hiromitsu (Aug 23)
- Re: BrownOrifice can break firewalls! TAKAGI, Hiromitsu (Aug 14)