From: Steve Gibbons <steve@aztech.net>
Date: Sat, 27 Jan 1996 18:37:36 +0800
To: llurch@networking.stanford.edu
Subject: Re: Possible Java hack.
Message-ID: <0099CFED.982523E0.1@aztech.net>
MIME-Version: 1.0
Content-Type: text/plain


In Article: <Pine.ULT.3.91.960127013341.19154Q-100000@Networking.Stanford.EDU>, Rich Graves <llurch@networking.stanford.edu> wrote:
# > [I've CCed this to cypherpunks, as well, I hope that you don't mind.]

# Not at all, it was private only because I wasn't totally sure it wasn't a
# stupid question. 

Not at all.  I'm worried about similar respnses to my original post given my
instable base.  :)

# > It would be very easy to conceal the "devious" portion of the applet 
# > inside of trojan horse that ran for a length of time greater than the 
# > minimum TTL for DNS caching.

# Which I believe you will find is platform- and even application-dependent.

I don't pretend to understand how every system on the market works, especially
those that have "PC" somewhere in their offficial or onufficial name.

# If you're talking about Windows NT or 95, for example, the winsock.dll 
# used by 16-bit applications caches DNS lookups in the TCP/IP stack 
# itself. I think TTL is listened to.

[See the caveat above.]

# wsock32.dll, on the other hand, doesn't do central DNS caching. So
# applications implement it themselves. I'm not sure that applications even
# have an opportunity to see the TTL information in the DNS response. I
# doubt there's standard behavior; Netscape, HotJava, and other stuff will
# probably time out DNS lookups differently. 

The thing to remember, with Java is that it's "platform independant" and thus
the security of Java as a whole will be the product of its parts.

# Real operating systems are probably a bit more standard about what they 
# do with DNS lookups, but I'm sure there's variance.

There is.  Actually its "real OS's" that I worry about most.  If you run
idenmtd, it might be possible for a java applet to determine who invoked it.
If fingerd (or any other service) allows and responds to connections from
127.0.0.1 (ie. localhost...)

# Still a really interesting idea, though. My first reaction was, well who 
# the hell controls a DNS server and a Web server and is likely to have a 
# piece of Java that you are likely to download? And the answer is, just 
# the kind of person you worry about.

I didn't state it explicitly, but that's exactly my point.

# This bait & switch thang can really be generalized to any kind of attack. 
# Of course, it's traceable, since not that many people own or can spoof a
# DNS server. 

Traceable by what?  If my assumptions are correct (which I'm willing to admit
that they might not be) all the attacker has to spoof is name to address for a
name that he/she already controls.  I don't expect that most PCs and/or
Macintosh's do this as a matter of course.  Most firewalls probably do, but I
wouldn't count on it.

--
Steve@AZTech.Net