December 12, 2000, 8:54 AM — Yet another Internet exploit sent a ripple of disquiet through the ether last week.
The unease was not due solely to the new vulnerability in Netscape and Java, but also
to its discoverer, Dan Brumleve, who chose to call his demonstration program
Dan. I'll be calling it BOH from now on, just so I don't have to think too much about
the name.
BOH exploits two flaws in the Java implementation in Netscape Communicator and
Navigator versions 4.04 to 4.74. If you have Java enabled, you could unwittingly
download and execute a version of BOH. The demo version sets up a Web server on the
targeted machine that listens at port 8080 and allows anyone to read all files that the
local Netscape user can read. The demo shows how to bypass Navigator's Java Security
Manager, which is supposed to prevent Java applets from reading local files.
In the BOH demo, you must be able to access port 8080, using any browser, to peruse
the victim's files. Most firewalls stop arbitrary incoming connections, so running the
BOH demo opens up a local network hole, not a way for a remote attacker to access your
files. But the demonstration code can be modified to set up an HTTP, HTTPS, or FTP
connection to a remote server. This could be a real headache.
When the modified version begins running, it makes a TCP connection (to port 21, 80,
or 443) back to the attacker; outgoing connections to HTTP, HTTPS, and FTP servers are
permitted by most firewall configurations. The attacker then runs a server that appears
to be the expected service -- it sends the correct protocol responses -- but is
actually a client for remote control of the modified BOH.
The modified BOH still limits the attacker to reading files, although it may be
possible to access files served by other internal servers as well. That idea was posted
to Bugtraq last
week. It shouldn't work -- the Security Manager should prevent it -- but we've already
seen that the Security Manager can be broken.
You can check to see if Java is enabled in Netscape: from the Edit menu, choose
Preferences and then Advanced. If the button next to Enable Java is dark, Java is
enabled. To disable Java, unselect Enable Java, click Okay, then exit Netscape.
Although the change takes place immediately, an evil Java applet may continue running
until you reboot. Brumleve mentioned an unconfirmed case where BO continued running on
a Windows 2000 system after Netscape was shut down, but this seems unlikely.
I suggest you keep Java disabled unless you have a specific need for it; even then,
enable it for the shortest time possible. If it's too much trouble to get your users to
disable Java on all your client machines, some firewalls offer a feature that strips
out Java applets as they pass through application gateways.
How easy is it to modify BOH? The
readily available. It consists of 1,248 lines of Java (with no comments). The necessary
classfile, java40.jar, appears on many systems, perhaps any system where Netscape is
installed. If even one person properly modifies the source and publishes it, BOH could
appear in a form that will tunnel through firewalls.
