5354245 2000-08-12 04:05 /232 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12175>
Ärende: CERT Advisory CA-2000-15
------------------------------------------------------------
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20000810182135.A2987@underground.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CERT Advisory CA-2000-15 Netscape Allows Java Applets to Read
Protected Resources
Original release date: August 10, 2000
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
* Systems running Netscape Communicator version 4.04 through 4.74
with Java enabled. Netscape 6 is unaffected by this problem.
Overview
Netscape Communicator and Navigator ship with Java classes that
allow an unsigned Java applet to access local and remote resources
in violation of the security policies for applets.
I. Description
Failures in the netscape.net package permit a Java applet to read
files from the local file system by opening a connection to a URL
using the "file" protocol. For example, by opening a connection to
"file:///C:/somefile.txt" an intruder can read the contents of that
file.
Additionally, it is possible to use this technique to open
connections to resources using other types of protocols; that is,
it is possible to open a connection to "http," "https," "ftp," and
other types of URLs using this vulnerability.
By then using ordinary techniques, a malicious Java applet that
exploits this vulnerability could subsequently send the contents
of the file (or other resource) to the web server from which the
applet originated.
An exploit using this technique causes the victim to establish a
connection to the malicious web server (as opposed to the intruder
establishing a connection to the victim). Thus typical firewall
configurations fail to stop an attack of this type.
A tool written by Dan Brumleve dubbed "Brown Orifice" demonstrates
this vulnerability. Brown Orifice implements an HTTP server (web
server) as a Java applet and listens for connections to the
victim's machine. In conjunction with the Netscape vulnerability,
Brown Orifice essentially turns a web browser into a web server
and allows any machine on the Internet to browse the victim's
local file system. Typical firewall configurations stop this type
of attack, but as noted above, they do not stop simple variations
of this attack.
This vulnerability is the result of an implementation error in the
JRE that comes with the Netscape brower, not an architectural
problem in the Java security model.
This problem has been widely discussed in various forums on the
Internet. More information is available at
http://www.securityfocus.com/bid/1546
http://www.nipc.gov/warnings/assessments/2000/assess00-052.htm
http://xforce.iss.net/alerts/advise58.php
http://www.brumleve.com/BrownOrifice (Note that this site
contains a demonstration of the vulnerability which could
expose your files to intruders.)
As of the writing of this document, we have not received any
reports indicating exploitation of this vulnerability outside of
the context of obtaining it from the Brown Orifice web site. Note
that running Brown Orifice allows anyone, not just the
administrators of the Brown Orifice web site, to read files on
your system. The Brown Orifice web site publishes the IP address
of systems running Brown Orifice, and we have received reports of
third parties attempting to read files from a system identified on
the Brown Orifice web site. Furthermore, if you have extended any
file-reading privileges to anyone who has run Brown Orifice, your
files can be read by anyone on the Internet (subject to controls
imposed by your router and firewall.)
II. Impact
Intruders who can entice you into running a malicious Java applet
can read any file that you can read on your local or network file
system. Additionally, the contents of URLs located behind a
firewall can be exposed.
III. Solution
Organizations should weigh the risks presented by this
vulnerability against their need to run Java applets. At the
present time, an effective solution is to disable Java in
Netscape. Historically, vulnerabilities of this type have not been
widely exploited; however this is not an indication that they
can't be, or that targeted attacks are not effective and possible.
For organizations that have a need to run Java applets under their
own control (that is, in situations where the HTML page
referencing the applet is under their control), an alternate
solution is to install a Java Runtime Environment Plugin available
from Sun Microsystems. More information and pointers to
downloadable software is available at
http://java.sun.com/products/plugin/index.html
To use this plugin effectively requires the use of a tool to
convert HTML pages to use a different tag. Information about Sun's
HTML Converter Software is also available on this page. This tool
will rewrite HTML pages so that applets referenced in the page
will run in the JRE provided by the plugin.
To achieve protection from the resource reading vulnerability
using this tool requires you to disable Java in the Netscape
browser. The HTML Converter software will modify HTML pages to use
an <EMBED> tag instead of an <APPLET>. The JRE plugin software
recognizes the <EMBED> tag, and applets will then run within the
new JRE plugin, instead of the default JRE provided by Netscape.
Appendix A contains information provided by vendors for this advisory.
We will update the appendix as we receive more information. If you do
not see your vendor's name, the CERT/CC did not hear from that vendor.
Please contact your vendor directly.
_________________________________________________________________
Appendix A. Vendor Information
AOL Corporate Communications
Netscape takes all security issues very seriously, and we are
working to quickly evaluate and address this concern. If the
reports are accurate, we plan to make a patch available, but in
the interim, users can protect themselves by simply turning off
Java.
Users can also visit http://www.netscape.com/security to get the
mostup to date information on a patch, and its availability.
Sun Microsystems and Netscape
Sun is working with Netscape to deliver a new version of Navigator
and Communicator that will fix this problem.
Microsoft
Brown Orifice does not exploit any vulnerabilities in Microsoft
Products.
_________________________________________________________________
The CERT Coordination Center thanks Elias Levy, CTO of
SecurityFocus.com, and Sun Microsystems and AOL/Netscape for their
input and assistance in the construction of this advisory.
_________________________________________________________________
Author: Shawn Hernan
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2000-15.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2000 Carnegie Mellon University
Revision History
August 10, 2000: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBOZMdgFr9kb5qlZHQEQJuOwCeKah/x0jSt9JfZHMOrW3mbsJgGwsAn3kS
Rd6+iwnQYd684Z8YpSbaAT++
=GfPV
-----END PGP SIGNATURE-----
(5354245) ------------------------------------------(Ombruten)