-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===Java HTTP proxy vulnerability===

   Reference wal-01
   Version 1.0
   Date March 05, 2002

===Cross references

   Sun Security Bulletin #00216
   Microsoft Security Bulletin MS02-013

   Vulnerability identifier CAN-2002-0058 (under review)
   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0058

===Classifications

   Java, networking, HTTP
   Web browsers, applets
   Unchecked network access, HTTP proxy connection hijacking

===Abstract problem description

   =Background
The Java security model is designed to allow code from an untrusted
source, usually web applets, to be safely executed.

   =Problem
An applet could do irregular, unchecked HTTP requests.

   =Consequence
Network access restrictions that apply, can be bypassed.
Only systems that have a HTTP proxy configured can be vulnerable.

One particular nasty exploit is where a remote server, aided by a
hostile applet, hijacks a browsers persistent HTTP connection to its
configured HTTP proxy.

===Affected software & patch availability; vendor bulletins

   =Sun

       Bulletin Number: #00216
       Date: March 4, 2002
       Title: HttpURLConnection
       http://sunsolve.Sun.COM/pub-cgi/secBulletin.pl
       (At the time of this writing bulletin 216 was not available on
       the website yet.)

   =Microsoft

       Microsoft Security Bulletin MS02-013
       Java Applet Can Redirect Browser Traffic
       Originally posted: March 04, 2002
       http://www.microsoft.com/technet/treeview/default.asp?
          url=/technet/security/bulletin/MS02-013.asp
       (URL is wrapped, please fix.)

   =Netscape
        Sun JVM (Java Virtual Machine) Issue
        http://home.netscape.com/security/

===Vendor contact
Shortly after I, more or less by coincidence, discovered the issue, I
reported it to Sun on April 07, 2001. They communicated it to their
Java licensees, and coordinated a synchronized response.

   =Free Java implementations
I audited both Kaffe and GNU Classpath class libraries, and to the
best of my knowledge, they are not vulnerable to this issue. Anyone
out there developing a free(TM) Java, please contact me if you have
questions or concerns, and I will be happy to assist you in any way I
can.

===Disclosure policy
I do not plan to release details of the vulnerability, that could make
it easier for crackers to get exploits, before a three month grace
period has expired. Customers should not to assume that the lack of
vulnerability details at this time will prevent the creation of
exploit programs.

===Detailed problem description
No details are provided at this time.
See Disclosure policy.

===PoC-exploit
I supplied Sun with a PoC-exploit, and they passed it on to other
vendors. No further distribution is expected.

===Software I tested/audited myself.
Sun/Blackdown 1.1.7/8, 1.2.2, 1.3.0/1 linux/win32
Netscape 4.61 default Java Runtime linux
MSIE 5.0 default Java Runtime win32
HotJava Browser 3.0
Kaffe 1.06
GNU Classpath 0.03

===Acknowledgment
Thanks to the vendors for addressing the issue. Special thanks to
Sun, in particular Chok Poh, for coordinating.

===Disclaimer & Copying
This comes with ABSOLUTELY NO WARRANTY!
Copying in whole and quoting parts permitted.

===History
Version 1.0 is the first release of this document.
Updates http://www.xs4all.nl/~harmwal/issue/wal-01.txt

===Contact
Author Harmen van der Wal
Mail harmwalxs4all.nl
PGP http://www.xs4all.nl/~harmwal/harmen.pgp.txt

===End===

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8hBnWqX9LFhm8cvYRAsXwAJ4jr1pm6lTqarPmbZNhuc4gGAwNSACeMIg9
nEyfEY6Us0AxLR0FoKFM/Q0=
=a9rw
-----END PGP SIGNATURE-----

-- 
Harmen van der Wal - http://www.xs4all.nl/~harmwal/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]