Bugtraq mailing list archives

Re: Unsecured server in applets under Netscape

From: shidoshi () black kage net (Tramale K. Turner)
Date: Wed, 3 Feb 1999 14:51:36 -0500


Confirmed on Netscape 4.5 running on an NT 4 SP 4 box.

Loaded up a similar applet on the internal network without standard applet
callback methods of stop() or destroy().  Kill the window that opened the
applet and the socket remains running (as expected, and only if some other
application in the same process space is running).

Fun!

--Shido

Shidoshi () monkey org


-----Original Message-----
From:   Bugtraq List [mailto:BUGTRAQ () netspace org] On Behalf Of Giao Nguyen
Sent:   Wednesday, February 03, 1999 3:49 AM
To:     BUGTRAQ () netspace org
Subject:        Re: Unsecured server in applets under Netscape

BVE writes:


The error in your analysis is most likely that you were running Java code

from

a class file installed on your local machine, as opposed to one which is
downloaded from a web site somewhere.  The former is considered

"trusted,"

while the latter is "untrusted."


You'd think so. Don't worry. I sat on this bug for two days to verify
that I had everything workin right and that I didn't have any funny
servers on my favorite port numbers. I tend to use 6969 whenever I
want to test something. The first iteration of this worked. I was
shocked.

A coworker mentioned the exact same thing you did. So I put it on our
development server. Loaded the web page. Same result. I then telnet to
a machine approximately 3000 miles away on a separate network
unrelated to the network I was on. Same result. Just for kicks I got
some folks from other companies to help me verify that lunch didn't
include liquids which the company might frown upon. Same result.

The fact that my test was done on a Windows box and others repeated
the tests on a Unix platform confirmed that this was not a Windows +
Netscape related problem but that it was indeed a Netscape specific
thing.

Any class file you've compiled on your local machine will be considered
"trusted," and will be allowed to do pretty much anything it wants.

Similarly,

any class file you've copied to your hard drive, as opposed to

downloading from

within a web browser, will be considered "trusted."


Yes, CLASSPATH contamination. I am aware of this.

To verify that it's not CLASSPATH contamination, I'm putting the
sample up at http://www.cafebabe.org/sapplet.html It doesn't do
anything other than allow connections to be made. It listens on 6969
btw. Now, the security measures as implemented by Netscape doesn't
allow for the equivalence of an accept() call to be made. However, it
could present an opportunity for DoS attacks. The source is at
http://www.cafebabe.org/Sapplet.java .

In retrospect, I think the topic is wrong. It should have been
different. The opportunity is still present for those who has a use
for such thing. YMMV.

<deletia>

Giao Nguyen

Current thread:

Unsecured server in applets under Netscape Giao Nguyen (Feb 02)
- Re: Unsecured server in applets under Netscape BVE (Feb 02)
  - Re: Unsecured server in applets under Netscape Giao Nguyen (Feb 03)
    - Re: Unsecured server in applets under Netscape Tramale K. Turner (Feb 03)
    - Re: Unsecured server in applets under Netscape Alex Muntada (Feb 05)
- Net::RawIP 0.05 has been released Sergey V. Kolychev (Feb 03)
- Buffer overflow and OS/390 Do-Geun Jo (Feb 04)
- Re: Unsecured server in applets under Netscape Tor Houghton (Feb 04)
- Microsoft Access 97 Stores Database Password as Plaintext Donald Moore (Feb 04)
  - Widespread Router Access Port DoS HD Moore (Feb 04)
  - Re: Microsoft Access 97 Stores Database Password as Plaintext Ernie Souhrada (Feb 04)
  - NOBO denial of service Andrew J. Gavin (Feb 04)
    - Re: NOBO denial of service Flavio Veloso (Feb 09)
  - Re: Microsoft Access 97 Stores Database Password as Plaintext Ricardo Peres (Feb 04)

(Thread continues...)