1996-02-22 - Big Java security hole
Header Data
From: “Robichaux, Paul E” <perobich@ingr.com>
To: “cypherpunks@toad.com>
Message Hash: f3ddf4816cf1561d27ade08a685cc0fee5a2891f952f7fe14b7e9f3bf5be5fa5
Message ID: <c=US%a=%p=INTERGRAPH%l=HQ6960221161902DK003B00@hq13.pcmail.ingr.com>
Reply To: _N/A
UTC Datetime: 1996-02-22 12:03:23 UTC
Raw Date: Thu, 22 Feb 1996 20:03:23 +0800
Raw message
From: "Robichaux, Paul E" <perobich@ingr.com>
Date: Thu, 22 Feb 1996 20:03:23 +0800
To: "cypherpunks@toad.com>
Subject: Big Java security hole
Message-ID: <c=US%a=_%p=INTERGRAPH%l=HQ6960221161902DK003B00@hq13.pcmail.ingr.com>
MIME-Version: 1.0
Content-Type: text/plain
Forwarded to me by a fellow webmaster; I don't know the original source.
-Paul
Date: Sun, 18 Feb 1996 23:57:02 -0500
From: Drew Dean <ddean@CS.Princeton.EDU>
Subject: Java security problems
We have discovered a serious security problem with Netscape Navigator's 2.0
Java implementation. (The problem is also present in the 1.0 release of the
Java Development Kit from Sun.) An applet is normally allowed to connect
only to the host from which it was loaded. However, this restriction is not
properly enforced. A malicious applet can open a connection to an arbitrary
host on the Internet. At this point, bugs in any TCP/IP-based network
service can be exploited. We have implemented (as a proof of concept) an
exploitation of an old sendmail bug.
If the user viewing the applet is behind a firewall, this attack can
be used against any other machine behind the same firewall. The
firewall will fail to defend against attacks on internal networks,
because the attack originates behind the firewall.
The immediate fix for this problem is to disable Java from Netscape's
"Security Preferences" dialog. An HTTP proxy server could also
disable Java applets by refusing to fetch Java ".class" files. We've
sent a more detailed description of this bug to CERT, Sun, and
Netscape.
A second, also serious, bug exists in javap, the bytecode
disassembler. An overly long method name can overflow a stack
allocated buffer, potentially causing arbitrary native code to be
executed. The problem is an unchecked sprintf() call, just like the
syslog(3) problem last year. Many such bugs were in the alpha 3
release's runtime, but were carefully fixed in the beta release. The
disassembler bug apparently slipped through. This attack only works
on users who disassemble applets. The fix is to not run javap until
Sun releases a patch.
Note that we've only had success in exploiting the first flaw on an SGI.
Windows 95 and DEC Alpha versions of Netscape have other bugs in their
socket implementations that make it harder (although not necessarily
impossible) to exploit the problem. This is the second time that unrelated
implementation bugs have prevented us from demonstrating security problems
in Java.
http://www.cs.princeton.edu/~ddean/java will contain more information
soon, including a revised version of our paper, to appear in the 1996
IEEE Symposium on Security and Privacy.
Drew Dean <ddean@cs.princeton.edu>
Ed Felten <felten@cs.princeton.edu>
Dan Wallach <dwallach@cs.princeton.edu>
Department of Computer Science, Princeton University
For more information, please contact Ed Felten, 609-258-5906, FAX
609-258-1771.
_______________________________________________________
Travis Weller WebMaster, Metrowerks, Inc.
tcweller@metrowerks.com http://www.metrowerks.com/
Thread
Return to February 1996
- Return to “m5@dev.tivoli.com (Mike McNally)”
- Return to ““Perry E. Metzger” <perry@piermont.com>”
Return to ““Robichaux, Paul E” <perobich@ingr.com>”
- 1996-02-22 (Thu, 22 Feb 1996 20:03:23 +0800) - Big Java security hole - “Robichaux, Paul E” <perobich@ingr.com>
- 1996-02-22 (Wed, 21 Feb 96 19:39:07 PST) - Re: BIG JAVA SECURITY HOLE - “Perry E. Metzger” <perry@piermont.com>
- 1996-02-22 (Thu, 22 Feb 1996 22:06:17 +0800) - Re: BIG JAVA SECURITY HOLE - m5@dev.tivoli.com (Mike McNally)