From xforce@iss.net Tue Aug 8 00:51:43 2000 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Date: Mon, 7 Aug 2000 17:52:22 -0400 Subject: ISSalert: Internet Security Systems Security Alert: Brown Orifice, BOHTTPD, a Platform Independent Java Vulnerability in Netscape TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert August 7, 2000 Brown Orifice, BOHTTPD, a Platform Independent Java Vulnerability in Netscape Synopsis: On August 5th, code was made public by Dan Brumleve, which demonstrates a serious security hole in the Netscape Java distribution. This vulnerability allows a hostile web site to start a server process on the browser system. That server can access arbitrary files on the browser system and locally connected networks through "file:" URLs. All versions of Netscape Navigator and Netscape Communicator versions 4.74 and earlier are vulnerable when Java is enabled. Mozilla from mozilla.org is not currently vulnerable. Preview 1 of Mozilla from Netscape (Netscape 6 Preview 1) is expired and cannot be tested. Microsoft Internet Explorer is not vulnerable at this time. Impact: A hostile web server can start a server process on the browser system with no warning to the browsing user. This process can access any file on the local (browser) machine or the locally connected network through normal file sharing, if it is accessible by the browsing user. Additional code and external URLs can also be distributed by the running server, resulting in self-propagation and feedback to the hostile site. Affected Versions: Netscape Communicator 4.74 and earlier with Java and downloadable plugins enabled. Netscape Navigator 4.74 and earlier with Java and downloadable plugins enabled. Affected Platforms: All platforms on which Java and Netscape are available are vulnerable. This is a platform independent exploit. Systems running Windows 2000, Windows NT and Linux are known to be vulnerable through demonstration. Unaffected Platforms: Microsoft Internet Explorer is not currently affected. Mozilla is not currently affected. Browsers with Java disabled are not affected. Description: Upon execution from a hostile web page, a hostile Java applet downloads a set of socket classes permitting it to create a web server within the Browser Java runtime environment. Through the use of the socket class, the exploit code listens on a configurable port number (the default port is 8080, the httpd proxy port). Through the use of "file:" URLs, this hostile server code is capable of accessing any local files, including any network files that can be reached, through file sharing, from the local file system. The origination site contains clear warnings that this code is a security vulnerability, but nothing in the nature of this exploit requires a warning to the user from the browser. Like any other Java applet, this can run with no execution warning. The origination page also does not fully describe the sample exploit server's behavior. In addition to starting up a web server, the pages delivered by the web server contain image references back to the originating host. Any browsers that connect to a compromised system reveal themselves to the origination site. This introduces the possibility for further propagation of similar exploits, through redirection or references to the hostile code from the hostile server itself. Self-propagating versions of this exploit have not been observed at this time. The origination site contains a "BOHTTPD_spy" page containing a list of sites known to have executed the code. This list is being actively exploited by other sites around the world, which are attempting to browse or break into the compromised sites. Some of these attempts appear to be automated, while many appear to be simple manual browsing. These sites may be unaware that their own efforts to browse the compromised sites are being revealed to the origination site, along with the IP address and port that they are browsing. Fix Information: No fix is available from Netscape as of this writing. Recommendations: Until a fix becomes available, Java should be disabled in the browser. Disabling the "downloader plugin" can also prohibit the downloading of the required socket classes that this exploit requires for operation. Additional Information: Code available from http://www.brumleve.com/BrownOrifice includes Java source code for the sample exploit that could be readily modified for more malicious use. Information about this exploit appeared on several popular web sites including SlashDot, days before appearing on BugTraq. It can be assumed that knowledge of the exploit, its source code, and variations are widespread. While Mozilla, at this time, does not appear to be vulnerable, this appears to be due to an error attempting to locate the "downloader plugin". This situation could change with release or configuration. No other browsers are known to be vulnerable at this time. A RealSecure signature for the following data will detect someone downloading the BOHTTPD.class: Context: URL_Data String: .*BOHTTPD\.class If this class is renamed, this signature will no longer be effective. ______ About Internet Security Systems (ISS) Internet Security Systems (ISS) is a leading global provider of security management solutions for the Internet. By providing industry-leading SAFEsuite security software, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to its customers, protecting digital assets and ensuring safe and uninterrupted e-business. ISS' security management solutions protect more than 5,500 customers worldwide including 21 of the 25 largest U.S. commercial banks, 10 of the largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOY8vEDRfJiV99eG9AQF5kwQAqqeKbwF9Qu2ZPySj4LJZb9acoTEt/Tj5 FDUuk3TT/ykrSq9TK1BAtfJtc0r/Su6slCGuo3pQ+s5u5drdX44oMHxnYSz9OVzm 8d0nD7VgW8DkZQW2rfNDNZ1t+mZm//SqKjunhfB0YiCpiTU9DxrDTcba6W+qkmRZ 8XlYonLmZgw= =xGJG -----END PGP SIGNATURE-----