Date: Thu, 28 Mar 2024 08:13:13 -0400 (EDT) Message-ID: <579312737.471.1711627993588@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_470_994791334.1711627993586" ------=_Part_470_994791334.1711627993586 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history is at the end of this file.
Netscape Communicator and Navigator ship with Java = classes that allow an unsigned Java applet to access local and remote resou= rces in violation of the security policies for applets.
Failures in the netscape.net package permit a Java applet to read files= from the local file system by opening a connection to a URL using the "fil= e" protocol. For example, by opening a connection to "file:///C:/somefile.t= xt" an intruder can read the contents of that file.
Additionally, it = is possible to use this technique to open connections to resources using ot= her types of protocols; that is, it is possible to open a connection to "ht= tp," "https," "ftp," and other types of URLs using this vulnerability.
<= p>By then using ordinary techniques, a malicious Java applet that exploits = this vulnerability could subsequently send the contents of the file (or oth= er resource) to the web server from which the applet originated.An e= xploit using this technique causes the victim to establish a connection to = the malicious web server (as opposed to the intruder establishing a connect= ion to the victim). Thus typical firewall configurations fail to stop an at= tack of this type.
A tool written by Dan Brumleve dubbed "Brown Orifi= ce" demonstrates this vulnerability. Brown Orifice implements an HTTP serve= r (web server) as a Java applet and listens for connections to the victim's= machine. In conjunction with the Netscape vulnerability, Brown Orifice ess= entially turns a web browser into a web server and allows any machine on th= e Internet to browse the victim's local file system. Typical firewall confi= gurations stop this type of attack, but as noted above, they do not stop si= mple variations of this attack.
This vulnerability is the result of a= n implementation error in the JRE that comes with the Netscape brower, not = an architectural problem in the Java security model.
This problem has= been widely discussed in various forums on the Internet. More information = is available at
As of the writing of this document, we have not received any reports ind= icating exploitation of this vulnerability outside of the context of obtain= ing it from the Brown Orifice web site. Note that running Brown Orifice all= ows anyone, not just the administrators of the Brown Orifice web site, to r= ead files on your system. The Brown Orifice web site publishes the IP addre= ss of systems running Brown Orifice, and we have received reports of third = parties attempting to read files from a system identified on the Brown Orif= ice web site. Furthermore, if you have extended any file-reading privileges= to anyone who has run Brown Orifice, your files can be read by anyone on t= he Internet (subject to controls imposed by your router and firewall.)
Org= anizations should weigh the risks presented by this vulnerability against t= heir need to run Java applets. At the present time, an effective solution i= s to disable Java in Netscape. Historically, vulnerabilities of this type h= ave not been widely exploited; however this is not an indication tha= t they can't be, or that targeted attacks are not effective and possible.= p>
For organizations that have a need to run Java applets under their own= control (that is, in situations where the HTML page referencing the applet= is under their control), an alternate solution is to install a Java Runtim= e Environment Plugin available from Sun Microsystems. More information and = pointers to downloadable software is available at
To use this plugin effectively requires the use of a tool to convert HTM= L pages to use a different tag. Information about Sun's HTML Converter Soft= ware is also available on this page. This tool will rewrite HTML pages so that applets = referenced in the page will run in the JRE provided by the plugin.
To achieve protection from the resource reading vulnerability using this= tool requires you to disable Java in the Netscape browser. The HTML Conver= ter software will modify HTML pages to use an <EMBED> tag instead of = an <APPLET>. The JRE plugin software recognizes the <EMBED> tag= , and applets will then run within the new JRE plugin, instead of the defau= lt JRE provided by Netscape.
Appendix A contains information provided by ven= dors for this advisory. We will update the appendix as we receive more info= rmation. If you do not see your vendor's name, the CERT/CC did not hear fro= m that vendor. Please contact your vendor directly.
Netscape takes al= l security issues very seriously, and we are working to quickly evaluate an= d address this concern. If the reports are accurate, we plan to make a patc= h available, but in the interim, users can protect themselves by simply tur= ning off Java.
Users can also visit http://www.netscape.com/security to get the mostup to dat= e information on a patch, and its availability. Sun Microsystems and Netscape
Sun is working with Netscape to deliver a n= ew version of Navigator and Communicator that will fix this problem.
Brown= Orifice does not exploit any vulnerabilities in Microsoft Products.
The CERT Coordination Center thanks Elias Levy, CTO of Secur= ityFocus.com, and Sun Microsystems and AOL/Netscape for their input and ass= istance in the construction of this advisory.
Copyright 2000 Carnegie Mellon University
Revision History
August 10, 2000: Initial release