Vulnerability Development mailing list archives
Re: Exploiting any network protocol with secondary datachannelsopened from the server
From: weinmann () RBG INFORMATIK TU-DARMSTADT DE (Ralf-Philipp Weinmann)
Date: Mon, 20 Mar 2000 02:44:16 +0100
On Sun, 19 Mar 2000, Mikael Olsson wrote:
Blue Boar wrote:I don't suppose Sandboxed Java Applets have any legal way to detemine which ports are open on the machine they're running on, do they?Something struck me as a possibility here. I don't know the first thing about Java, but I'm wondering if the socket interface in the standard Java libs has some similarities to standard BSD sockets. If you're allowed to issue "bind(socket,sockaddr);" equivalent requests in Java, you can loop requests from local ports 0 to 65535 and see which ones you are NOT allowed to bind. The ones you are not allowed to bind are likely the ones that are already taken by some application. This may be listening server ports or simply other dynamically allocated ports. With some "intelligence" in the applet you can probably guess which ports are interesting and which ones are not. (Or simply try to bind a few ports that you know to be interesting beforehand.) AGAIN, NOTE: I have NO idea if the above works. It'd be nice if someone with a bit of experience in Java could verify if it does. (Specifically: is there even a "bind" equivalent?)
java.net.ServerSocket(portnumber) can be used for bind()ing a port. I haven't checked whether you can use this class in an applet however or whether the security manager successfully blocks this route. Note however that you should only be able to bind ports between 1024 and 65535 on un*x boxes (winblows boxes don't have reserved ports). OK. I just tested it and it works (Netscape 4.0x under linux). Bad bad bad. Source code is attached. This of course leads me to even nastier thoughts about what can be done with ServerSocket since it also allows binding to a specific address (interface) - which makes things interesting under Solaris for example. Cheers, -Ralf -- Ralf-P. Weinmann <weinmann () rbg informatik tu-darmstadt de> PGP fingerprint: 2048/46C772078ACB58DEF6EBF8030CBF1724 <HR NOSHADE> <UL> <LI>TEXT/PLAIN attachment: scan.java </UL> <HR NOSHADE> <UL> <LI>TEXT/PLAIN attachment: javascan.html </UL>
Current thread:
- Exploiting any network protocol with secondary data channels opened from the server Mikael Olsson (Mar 17)
- Re: Exploiting any network protocol with secondary data channelsopened from the server Blue Boar (Mar 18)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Mikael Olsson (Mar 19)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Mr. Pink (Mar 19)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Ralf-Philipp Weinmann (Mar 19)
- Re: Exploiting any network protocol with secondarydatachannelsopened from the server H D Moore (Mar 19)
- Re: Exploiting any network protocol with secondarydatachannelsopened from the server Ralf-Philipp Weinmann (Mar 20)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Mikael Olsson (Mar 19)
- Re: Exploiting any network protocol with secondary data channelsopened from the server Blue Boar (Mar 18)
- Buffer overflow in AIM 3.5.1856 Joe Testa (Mar 19)