Thread-topic: Untrusted Java applet can connect to localhost
> -----Original Message-----
> From: NGSSoftware Insight Security Research
> [mailto:nisr@xxxxxxxxxxxxxxx]
> Sent: Tuesday, October 30, 2007 12:20 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx;
> full-disclosure@xxxxxxxxxxxxxxxxx; vulnwatch@xxxxxxxxxxxxx
> Subject: Untrusted Java applet can connect to localhost
>
> Note: This advisory should have been published several months ago;
> apologies for the delay -- John Heasman
>
> =======
> Summary
> =======
> Name: Untrusted Java applet can connect to localhost
> Release Date: 29 October 2007
> Reference: NGS00443
> Discover: John Heasman <john@xxxxxxxxxxxxxxx>
> Vendor: Sun Microsystems
> Systems Affected: JDK and JRE 6 Update 1 and earlier, JDK and JRE 5.0
> Update 11 and earlier, SDK and JRE 1.4.2_14 and earlier
> Risk: Medium
> Status: Published
>
> ========
> TimeLine
> ========
> Discovered: 1 October 2006
> Released: 2 October 2006
> Approved: 7 October 2006
> Reported: 1 November 2006
> Fixed: 18 July 2007
> Published: 29 October 2007
>
> ===========
> Description
> ===========
> The Java browser plugin shipped with versions of the JRE and JDK
> listed above, contains a vulnerability that allows an
> untrusted applet to violate the network access restrictions
> placed on it
> by the Java sandbox in order to connect to the local host.
> This permits a
> malicious website to host an applet that is capable of port
> scanning the
> local system and exploiting vulnerable network services (e.g.
> unpatched
> vulnerabilities in MSRPC etc.)
>
> =================
> Technical Details
> =================
> The Java browser plugin allows applets to be loaded from a
> remote location
> most typically over HTTP/HTTPs but also over a number of
> other supported
> protocols including an undocumented protocol scheme
> "verbatim". Untrusted
> applets are subject to network access restrictions documented at
>
>
> "Applets are not allowed to open network connections to any computer,
> except for the host that provided the .class files. This is either the
> host where the html page came from, or the host specified in
> the codebase
> parameter in the applet tag, with codebase taking precendence."
>
> By specifying a codebase URI prefixed by "verbatim:" it is possible to
> load an applet from a remote location but have the browser
> plugin believe
> it has been loaded from the local host. This allows an
> untrusted applet
> to connect to and attempt to exploit network services running
> on the local
> host. It should be noted that unlike binary sockets in Flash
> 9, an applet
> can connect to any port, not just those greater than 1024.
>
> At the time of reporting this issue, NGS provided Sun with a
> demonstration
> applet that exploited MS06-040 ("Vulnerability in Server Service could
> allow remote code execution") on a vulnerable XP SP1 system.
>
> ===============
> Fix Information
> ===============
> This issue is addressed in the following releases (for
> Windows, Solaris,
> and Linux):
>
> JDK and JRE 6 Update 2 or later
> JDK and JRE 5.0 Update 12 or later
> SDK and JRE 1.4.2_15 or later
>
> Further information is available at
>
>
>
> NGSSoftware Insight Security Research
>
>
>
> +44(0)208 401 0070
>
> --
> E-MAIL DISCLAIMER
>
> The information contained in this email and any subsequent
> correspondence is private, is solely for the intended recipient(s) and
> may contain confidential or privileged information. For those
> other than
> the intended recipient(s), any disclosure, copying,
> distribution, or any
> other action taken, or omitted to be taken, in reliance on such
> information is prohibited and may be unlawful. If you are not the
> intended recipient and have received this message in error, please
> inform the sender and delete this mail and any attachments.
>
> The views expressed in this email do not necessarily reflect
> NGS policy.
> NGS accepts no liability or responsibility for any onward transmission
> or use of emails and attachments having left the NGS domain.
>
> NGS and NGSSoftware are trading names of Next Generation Security
> Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
> 4BF with Company Number 04225835 and VAT Number 783096402
>
