-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===Java HTTP proxy vulnerability=== Reference wal-01 Version 1.0 Date March 05, 2002 ===Cross references Sun Security Bulletin #00216 Microsoft Security Bulletin MS02-013 Vulnerability identifier CAN-2002-0058 (under review) http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0058 ===Classifications Java, networking, HTTP Web browsers, applets Unchecked network access, HTTP proxy connection hijacking ===Abstract problem description =Background The Java security model is designed to allow code from an untrusted source, usually web applets, to be safely executed. =Problem An applet could do irregular, unchecked HTTP requests. =Consequence Network access restrictions that apply, can be bypassed. Only systems that have a HTTP proxy configured can be vulnerable. One particular nasty exploit is where a remote server, aided by a hostile applet, hijacks a browsers persistent HTTP connection to its configured HTTP proxy. ===Affected software & patch availability; vendor bulletins =Sun Bulletin Number: #00216 Date: March 4, 2002 Title: HttpURLConnection http://sunsolve.Sun.COM/pub-cgi/secBulletin.pl (At the time of this writing bulletin 216 was not available on the website yet.) =Microsoft Microsoft Security Bulletin MS02-013 Java Applet Can Redirect Browser Traffic Originally posted: March 04, 2002 http://www.microsoft.com/technet/treeview/default.asp? url=/technet/security/bulletin/MS02-013.asp (URL is wrapped, please fix.) =Netscape Sun JVM (Java Virtual Machine) Issue http://home.netscape.com/security/ ===Vendor contact Shortly after I, more or less by coincidence, discovered the issue, I reported it to Sun on April 07, 2001. They communicated it to their Java licensees, and coordinated a synchronized response. =Free Java implementations I audited both Kaffe and GNU Classpath class libraries, and to the best of my knowledge, they are not vulnerable to this issue. Anyone out there developing a free(TM) Java, please contact me if you have questions or concerns, and I will be happy to assist you in any way I can. ===Disclosure policy I do not plan to release details of the vulnerability, that could make it easier for crackers to get exploits, before a three month grace period has expired. Customers should not to assume that the lack of vulnerability details at this time will prevent the creation of exploit programs. ===Detailed problem description No details are provided at this time. See Disclosure policy. ===PoC-exploit I supplied Sun with a PoC-exploit, and they passed it on to other vendors. No further distribution is expected. ===Software I tested/audited myself. Sun/Blackdown 1.1.7/8, 1.2.2, 1.3.0/1 linux/win32 Netscape 4.61 default Java Runtime linux MSIE 5.0 default Java Runtime win32 HotJava Browser 3.0 Kaffe 1.06 GNU Classpath 0.03 ===Acknowledgment Thanks to the vendors for addressing the issue. Special thanks to Sun, in particular Chok Poh, for coordinating. ===Disclaimer & Copying This comes with ABSOLUTELY NO WARRANTY! Copying in whole and quoting parts permitted. ===History Version 1.0 is the first release of this document. Updates http://www.xs4all.nl/~harmwal/issue/wal-01.txt ===Contact Author Harmen van der Wal Mail harmwal@xs4all.nl PGP http://www.xs4all.nl/~harmwal/harmen.pgp.txt ===End=== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8hBnWqX9LFhm8cvYRAsXwAJ4jr1pm6lTqarPmbZNhuc4gGAwNSACeMIg9 nEyfEY6Us0AxLR0FoKFM/Q0= =a9rw -----END PGP SIGNATURE----- -- Harmen van der Wal - http://www.xs4all.nl/~harmwal/
