TUCoPS :: Browsers :: ciack063.htm

Netscape - Java Vulnerability
Netscape - Java Vulnerability Privacy and Legal Notice

CIAC INFORMATION BULLETIN

K-063: Netscape - Java Vulnerability

August 8, 2000 15:00 GMT
PROBLEM:       This vulnerability allows a hostile web site to start a server
               process on the browser system. That server can access arbitrary
               files on the browser system and locally connected networks
               through "file:" URLs.
PLATFORM:      All versions of Netscape Navigator and Netscape Communicator
               versions 4.74 and earlier are vulnerable when Java is enabled.
DAMAGE:        A hostile web server can start a server process on the browser
               system with no warning to the browsing user. This process can
               access any file on the local (browser) machine or the locally
               connected network through normal file sharing, if it is
               accessible by the browsing user. Additional code and external
               URLs can also be distributed by the running server, resulting
               in self-propagation and feedback to the hostile site.
SOLUTION:      Until a fix becomes available, Java should be disabled in the
               browser. Disabling the "downloader plugin" can also prohibit
               the downloading of the required socket classes that this
               exploit requires for operation.

VULNERABILITY The risk is could be significant. A user must go to a hostile web ASSESSMENT: page constructed to exploit this vulnerability. The exploit has been published in public forums.
[****** Start ISS Alert ******]
-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Alert
August 7, 2000

Brown Orifice, BOHTTPD, a Platform Independent Java Vulnerability in
Netscape

Synopsis:

On August 5th, code was made public by Dan Brumleve, which demonstrates a
serious security hole in the Netscape Java distribution. This vulnerability
allows a hostile web site to start a server process on the browser system.
That server can access arbitrary files on the browser system and locally
connected networks through "file:" URLs. All versions of Netscape Navigator
and Netscape Communicator versions 4.74 and earlier are vulnerable when Java
is enabled. Mozilla from mozilla.org is not currently vulnerable. Preview 1
of Mozilla from Netscape (Netscape 6 Preview 1) is expired and cannot be
tested.
Microsoft Internet Explorer is not vulnerable at this time.

Impact:

A hostile web server can start a server process on the browser system with
no warning to the browsing user. This process can access any file on the
local (browser) machine or the locally connected network through normal file
sharing, if it is accessible by the browsing user. Additional code and
external URLs can also be distributed by the running server, resulting in
self-propagation and feedback to the hostile site.

Affected Versions:

Netscape Communicator 4.74 and earlier with Java and downloadable plugins
enabled. Netscape Navigator 4.74 and earlier with Java and downloadable
plugins enabled.

Affected Platforms:

All platforms on which Java and Netscape are available are vulnerable. This
is a platform independent exploit. Systems running Windows 2000, Windows NT
and Linux are known to be vulnerable through demonstration.

Unaffected Platforms:

Microsoft Internet Explorer is not currently affected.
Mozilla is not currently affected.
Browsers with Java disabled are not affected.

Description:

Upon execution from a hostile web page, a hostile Java applet downloads a
set of socket classes permitting it to create a web server within the
Browser Java runtime environment. Through the use of the socket class, the
exploit code listens on a configurable port number (the default port is
8080, the httpd proxy port). Through the use of "file:" URLs, this hostile
server code is capable of accessing any local files, including any network
files that can be reached, through file sharing, from the local file system.

The origination site contains clear warnings that this code is a security
vulnerability, but nothing in the nature of this exploit requires a warning
to the user from the browser. Like any other Java applet, this can run with
no execution warning.

The origination page also does not fully describe the sample exploit
server's behavior. In addition to starting up a web server, the pages
delivered by the web server contain image references back to the originating
host. Any browsers that connect to a compromised system reveal themselves to
the origination site.  This introduces the possibility for further
propagation of similar exploits, through redirection or references to the
hostile code from the hostile server itself. Self-propagating versions of
this exploit have not been observed at this time.

The origination site contains a "BOHTTPD_spy" page containing a list of
sites known to have executed the code. This list is being actively exploited
by other sites around the world, which are attempting to browse or break
into the compromised sites. Some of these attempts appear to be automated,
while many appear to be simple manual browsing. These sites may be unaware
that their own efforts to browse the compromised sites are being revealed to
the origination site, along with the IP address and port that they are
browsing.

Fix Information:

No fix is available from Netscape as of this writing.

Recommendations:

Until a fix becomes available, Java should be disabled in the browser.
Disabling the "downloader plugin" can also prohibit the downloading of the
required socket classes that this exploit requires for operation.

Additional Information:

Code available from http://www.brumleve.com/BrownOrifice includes Java
source code for the sample exploit that could be readily modified for more
malicious use.

Information about this exploit appeared on several popular web sites
including SlashDot, days before appearing on BugTraq. It can be assumed that
knowledge of the exploit, its source code, and variations are widespread.

While Mozilla, at this time, does not appear to be vulnerable, this appears
to be due to an error attempting to locate the "downloader plugin". This
situation could change with release or configuration.

No other browsers are known to be vulnerable at this time.

A RealSecure signature for the following data will detect someone
downloading the BOHTTPD.class:

Context: URL_Data
String: .*BOHTTPD\.class

If this class is renamed, this signature will no longer be effective.

______

About Internet Security Systems (ISS)

Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite security software, remote managed security services, and strategic
consulting and education offerings, ISS is a trusted security provider to
its customers, protecting digital assets and ensuring safe and uninterrupted
e-business. ISS' security management solutions protect more than 5,500
customers worldwide including 21 of the 25 largest U.S. commercial banks, 10
of the largest telecommunications companies and over 35 government agencies.
Founded in 1994, ISS is headquartered in Atlanta, GA, with additional
offices throughout North America and international operations in Asia,
Australia, Europe, Latin America and the Middle East. For more information,
visit the Internet Security Systems web site at www.iss.net or call
888-901-7477.

Copyright (c) 2000 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in
any other medium excluding electronic medium, please e-mail xforce@iss.net
<mailto:xforce@iss.net> for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

X-Force PGP Key available at: <http://xforce.iss.net/sensitive.php>as well
as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force xforce@iss.net
 of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOY8vEDRfJiV99eG9AQF5kwQAqqeKbwF9Qu2ZPySj4LJZb9acoTEt/Tj5
FDUuk3TT/ykrSq9TK1BAtfJtc0r/Su6slCGuo3pQ+s5u5drdX44oMHxnYSz9OVzm
8d0nD7VgW8DkZQW2rfNDNZ1t+mZm//SqKjunhfB0YiCpiTU9DxrDTcba6W+qkmRZ
8XlYonLmZgw=
=xGJG
-----END PGP SIGNATURE-----

[****** End ISS Alert ******]

CIAC wishes to acknowledge the contributions of Internet Security Systems for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH