Note: This advisory should have been published several months ago; apologies for the delay -- John Heasman ======= Summary ======= Name: Untrusted Java applet can connect to localhost Release Date: 29 October 2007 Reference: NGS00443 Discover: John Heasman <john@xxxxxxxxxxxxxxx> Vendor: Sun Microsystems Systems Affected: JDK and JRE 6 Update 1 and earlier, JDK and JRE 5.0 Update 11 and earlier, SDK and JRE 1.4.2_14 and earlier Risk: Medium Status: Published ======== TimeLine ======== Discovered: 1 October 2006 Released: 2 October 2006 Approved: 7 October 2006 Reported: 1 November 2006 Fixed: 18 July 2007 Published: 29 October 2007 =========== Description =========== The Java browser plugin shipped with versions of the JRE and JDK listed above, contains a vulnerability that allows an untrusted applet to violate the network access restrictions placed on it by the Java sandbox in order to connect to the local host. This permits a malicious website to host an applet that is capable of port scanning the local system and exploiting vulnerable network services (e.g. unpatched vulnerabilities in MSRPC etc.) ================= Technical Details ================= The Java browser plugin allows applets to be loaded from a remote location most typically over HTTP/HTTPs but also over a number of other supported protocols including an undocumented protocol scheme "verbatim". Untrusted applets are subject to network access restrictions documented at http://java.sun.com/sfaq/: "Applets are not allowed to open network connections to any computer, except for the host that provided the .class files. This is either the host where the html page came from, or the host specified in the codebase parameter in the applet tag, with codebase taking precendence." By specifying a codebase URI prefixed by "verbatim:" it is possible to load an applet from a remote location but have the browser plugin believe it has been loaded from the local host. This allows an untrusted applet to connect to and attempt to exploit network services running on the local host. It should be noted that unlike binary sockets in Flash 9, an applet can connect to any port, not just those greater than 1024. At the time of reporting this issue, NGS provided Sun with a demonstration applet that exploited MS06-040 ("Vulnerability in Server Service could allow remote code execution") on a vulnerable XP SP1 system. =============== Fix Information =============== This issue is addressed in the following releases (for Windows, Solaris, and Linux): JDK and JRE 6 Update 2 or later JDK and JRE 5.0 Update 12 or later SDK and JRE 1.4.2_15 or later Further information is available at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102995-1 NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070 -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402
