![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Thu, 10 Aug 2000 09:04:32 +0200
From: "Greulich, Andreas" <Andreas.Greulich@ISB.ADMIN.CH>
Subject: BrownOrifice can break firewalls!
To: BUGTRAQ@SECURITYFOCUS.COM
Hi all,
I am quite surprised about the low echo the newest bug in Netscapes Java
library (see http://www.brumleve.com/BrownOrifice/) receives. I am quite
worried about it because I think its impact is much higher than the
"WWW-server-applet" you find on above page. The WWW-server is a nice demo,
but for most users behind firewalls no real risk because the firewall will
usually block access from attackers to the victims browsers (ie his
"applet-server"). This can lead peopel to a dangerous feeling of security
though.
I am worried about a combination of a rogue applet and a rogue servlet (for
example CGI-script), both on the same server on the internet. The applet,
downloaded and started on a victims browser inside Intranet, assuming his
firewall allows him to receive Java applets, would build up a connection to
the rogue servlet implementing a kind of "reverse tunnel" similar to SSH.
This tunnel would principially receive a line from the rogue servlet,
interpreting this as URL by sending it through
netscape.net.URLConnection/URLInputStream. The result would be sent back to
the rogue servlet, then repeating these actions in an endless loop or until
the victim exits his browser. This way the servlet can use the tunnel to its
applet in order to read any file on teh victims machine without the firewall
being able to prevent it.
But it becomes worse... I tried these buggy Java methods and found that they
do not only work for accessing local files on the victims PC. Much worse,
they allow access to ANY URL (!) the victims browser can reach! In above
scenario, the rogue servlet would not only be able to read all files on the
victims machine, but freely surf inside the Intranet where the vicitm is
located. Regardless whether it is VPN-protected or whatever, the servlet
would see what the victims browser can see. It is easy to verify that:
Access above site, activate the rogue applet-server, conenct to it, but give
an URL instead of a filename (the Java applet actually takes care of it, it
doesn't prepend "file://" if you start the location with "http://",
"ftp://", etc - see its sourcefile BOHTTPD.java). Sor, try for example to
access "http://your.victim.browser:8080/http://www.your.intranet.server" and
you will see taht this way you can see what your victim browser sees. It is
not very useful per se, as you can usually see these machines anyway
(otherwise you could not connect to the victim browser). But if the rogue
applet initiated a tunnel as described above - and most firewalls would
allow this because it is outgoing - it DOEs become a problem. In short, it
would deactivate your firewall, the combination of rogue applet on your
Intranet victim machine plus rogue servlet on the Internet machine can work
as (reverse) proxy into your Intranet! Actually teh rogue servlet could
itself be combined with a WWW frontend allowing access to teh Intranet.
It even becomes worse than that - as if it were not bad enough. We are using
personal X.509 certificates in order to authenticate SSL connections. I'm
not speaking about standard server-authentication now; I am speaking about
client authentication, ie the scneario where your oersinal browser has a
personal certificate installed and uses this for authentication. These
certificates are still quite rare (estimated 2% of all SSL traffic), but
becoming important, for example for Internet banking. Private keys for
personal certificates are usually stored on your local disk, protected (ie
encrypted) by a passphrase. Netscape can be congigured in a way this
passphrase has only to be given once per Netscape session - it is then
cached for subsequent authentications, and Netscape performs these
automagically. Most peopel have this otpion activated. If they are very
security-concerned, they will use the option that asks again for the
passphrase after 30 minutes of not being used. Hardly anybody has it set up
in a way it is asked every time. It would be impractical to work with it
that way.
Now the problem is that, once your personal certificate is "opened" in above
way (so teh user entered it once and teh browser cached it), Netscape will
automagically use it again without informing the user - even if this request
is performed using netscape.net.URLConnetion/URLInputStream! Thsi means, the
rogue servlet does nto only see what the victims browser sees, but can also
authenticate itself in the same way teh victims browser could do on its
behalf without direct user interaction.
To try it out, make sure you have a browser with personal certificate
installed, passphrase, and set it up so that it asks only once a session for
it. Then use it to connect to a server that needs you to unlock the
certificate (ie enter passphrase), say "https://your.bank.com". Netscape now
keeps that in cache. Now get teh rogue applet mentioned above. Then go to
anotehr browser (liek starting the Explorer on your machine), and connect to
"http://your.victim.browser:8080/https://your.bank.com". And bingo, here you
are, and authenticated.
I think this problem needs more care and more pressure onto Netscape. The
only thing I can imagine is to turn off Java or replace it by anotehr
engine. I tried to disable all netscape.net.* methods in Netscapes
java40.jar file but did not succeeed (wrong digital signature then, of
course). Does anybody know an easy way how these methods could be blocked?
What can be done on the firewall? It seems Checkpoint can hardly block Java
without huge performance loss. Plus it would be quite a heavy measure...
blocking Java only for Netscape, or even block all Java applets that refer
to netscape.net.* methods would be an option - but are they feasible?
Any otehr ideas/suggestions?
Andy