Date: Tue, 2 Feb 1999 13:42:32 -0800 From: Giao Nguyen <grail@CAFEBABE.ORG> To: BUGTRAQ@netspace.org Subject: Unsecured server in applets under Netscape Just for kicks, I wrote a sample applet that listened on a socket. I discovered that when the applet was loaded under Netscape (as tested with version 4.5), any hosts could then connect to the machine running this applet. I won't bore anyone with the code because it's so trivial that a novice to Java should be able to write it with ease after reading some documentation. According to Java in a Nutshell, 2nd edition, p. 139: * Untrusted code cannot perform networking operations, exception certain restricted ways. Untrusted code cannot: [...] - Accept network connections on ports less than or equal to 1024 or from any host other than the one from which the code itself was loaded. While the port number restriction is held by the VM, the point of origin restriction is not held at all. I don't feel qualified to comment on the full implication of this but I'm sure more inventive minds can arrive at more interesting uses of this feature. The work around is rather simple. Disable Java runtime in the Netscape browser. As hinted above, Internet Explorer's Java runtime does not exhibit this behaviour. I have contacted Netscape (via some truly useful web pages) but I've not received any responses to the following information. I hope it's useful to someone out there. Giao Nguyen ------------------------------------------------------------------------ Date: Wed, 3 Feb 1999 07:45:13 -0000 From: BVE <bve@QUADRIX.COM> To: BUGTRAQ@netspace.org Subject: Re: Unsecured server in applets under Netscape Date: Tue, 2 Feb 1999 13:42:32 -0800 From: Giao Nguyen <grail@CAFEBABE.ORG> Just for kicks, I wrote a sample applet that listened on a socket. I discovered that when the applet was loaded under Netscape (as tested with version 4.5), any hosts could then connect to the machine running this applet. I won't bore anyone with the code because it's so trivial that a novice to Java should be able to write it with ease after reading some documentation. According to Java in a Nutshell, 2nd edition, p. 139: * Untrusted code cannot perform networking operations, exception certain restricted ways. Untrusted code cannot: [...] - Accept network connections on ports less than or equal to 1024 or from any host other than the one from which the code itself was loaded. While the port number restriction is held by the VM, the point of origin restriction is not held at all. The error in your analysis is most likely that you were running Java code from a class file installed on your local machine, as opposed to one which is downloaded from a web site somewhere. The former is considered "trusted," while the latter is "untrusted." Any class file you've compiled on your local machine will be considered "trusted," and will be allowed to do pretty much anything it wants. Similarly, any class file you've copied to your hard drive, as opposed to downloading from within a web browser, will be considered "trusted." -- -- Bill Van Emburg Quadrix Solutions, Inc. Phone: 732-235-2335, x206 (bve@quadrix.com) Fax: 732-235-2336 (http://quadrix.com) "You do what you want, and if you didn't, you don't" ------------------------------------------------------------------------ Date: Wed, 3 Feb 1999 00:49:10 -0800 From: Giao Nguyen <grail@CAFEBABE.ORG> To: BUGTRAQ@netspace.org Subject: Re: Unsecured server in applets under Netscape BVE writes: > > The error in your analysis is most likely that you were running Java code from > a class file installed on your local machine, as opposed to one which is > downloaded from a web site somewhere. The former is considered "trusted," > while the latter is "untrusted." You'd think so. Don't worry. I sat on this bug for two days to verify that I had everything workin right and that I didn't have any funny servers on my favorite port numbers. I tend to use 6969 whenever I want to test something. The first iteration of this worked. I was shocked. A coworker mentioned the exact same thing you did. So I put it on our development server. Loaded the web page. Same result. I then telnet to a machine approximately 3000 miles away on a separate network unrelated to the network I was on. Same result. Just for kicks I got some folks from other companies to help me verify that lunch didn't include liquids which the company might frown upon. Same result. The fact that my test was done on a Windows box and others repeated the tests on a Unix platform confirmed that this was not a Windows + Netscape related problem but that it was indeed a Netscape specific thing. > Any class file you've compiled on your local machine will be considered > "trusted," and will be allowed to do pretty much anything it wants. Similarly, > any class file you've copied to your hard drive, as opposed to downloading from > within a web browser, will be considered "trusted." Yes, CLASSPATH contamination. I am aware of this. To verify that it's not CLASSPATH contamination, I'm putting the sample up at http://www.cafebabe.org/sapplet.html It doesn't do anything other than allow connections to be made. It listens on 6969 btw. Now, the security measures as implemented by Netscape doesn't allow for the equivalence of an accept() call to be made. However, it could present an opportunity for DoS attacks. The source is at http://www.cafebabe.org/Sapplet.java . In retrospect, I think the topic is wrong. It should have been different. The opportunity is still present for those who has a use for such thing. YMMV. Giao Nguyen ------------------------------------------------------------------ [http://www.cafebabe.org/sapplet.html] This page contains an applet listening on port 6969. It doesn't do anything other than that. How useful is it? <applet codebase="javascript:if(confirm('http:/// \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address. \n\nDo you want to open it from the server?'))window.location='http:///'" tppabs="http:///" code="Sapplet.class" tppabs="http://www.packetstormsecurity.nl/opensec-exploits/exploits/netapps/web-cgi/browser/Sapplet.class" width=10 height=10> </applet> ------------------------------------------------------------------ ------------------------------------------------------------------ [http://www.cafebabe.org/Sapplet.java] import java.net.*; import java.io.*; import java.applet.*; public class Sapplet extends Applet { ServerSocket s; public void init() { try { s = new ServerSocket(6969); } catch (IOException io) { System.out.println("Well drat, it didn't work."); } } } ------------------------------------------------------------------
zorazelda