Firewalls: Re: JAVA security problem ?

Firewalls
(February 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: JAVA security problem ?
From:	Mike Shaver <shaver @ neon . ingenia . com>
Date:	Thu, 15 Feb 1996 22:14:19 -0500 (EST)
To:	proberts @ clark . net (Paul D. Robertson)
Cc:	jcmurphy @ smurfland . cit . buffalo . edu, mdr @ vodka . sse . att . com, Firewalls @ GreatCircle . COM
In-reply-to:	<Pine . SOL . 3 . 91 . 960210111411 . 2877B-100000 @ clark . net> from "Paul D. Robertson" at Feb 10, 96 11:29:54 am

Thus spake Paul D. Robertson:
> So, all I need is a plug-in that sits around and waits for the 
> Java code to start executing and overloads one of the standard callback
> functions with evil code, no?  It's been forever since I did any Win*
> development, but unless things have changed quite significantly, all
> it would take is "click here to get the nifty plug in", "Install the 
> nifty plug-in", "Go to the gee-wizz-neat-o java site from the nifty plug-in"

>From the stuff I've seen from the plug-in SDK, plug-ins only get to
really deal with incoming streams of data, a drawing area and the MIME
stuff, as far as hooks into the browser go.

I'm pretty sure plug-ins can't hook onto the Java stuff, although if
you knew the name/address of the Java handler/entry point, and
Netscape wasn't careful about their dynamic loading mechanism...

> I'd think that mime apps are the same sort of risk, and it really doesn't
> take Java to do this, but it sure is nice to be able to modify the attack
> code without getting the user to download new code each time, and run an 
> installation.

No problem... embed a perl/tcl/whatever interpreter in your plug-in,
and then load the code via the data stream.

Better yet, just have the data stream ship you an object file, and
then jump into in or fork it off, or whatever Netscape'll let you get
away with.

Downloading binary code == giving away the store, usually.

> After thinking about it for a lot longer than I really wanted to, I think 
> that other than doing some CNAME or other DNS aliasing that someone else 
> has already explored (wonder what the code actually checks for?  Was this 
> in the alpha release?  I may still have that code somewhere...)

The code for the alpha release had lots of "this doesn't work like it
should, yet" comments in the security code.  I haven't had the time to
give the FCS1.0 stuff a good once-over yet. =(

Mike

-- 
#> Mike Shaver (shaver @
 ingenia .
 com) Ingenia Communications Corporation <#
#>        Technical Specialist -- will tame sendmail(8) for food       <#
#>                                                                     <#
#> "You are a very perverse individual, and I think I'd like to get to <#
#>  know you better." --- eric @
 reference .
 com                           <#

References:

Re: JAVA security problem ?
From: "Paul D. Robertson" <proberts @ clark . net>

Indexed By Date	Previous:	RE: Windows NT Mail Gateway From: Chris Pugrud <cpugrud @ primenet . com>
Indexed By Date	Next:	Re: tcpdump modifications From: firewalls @ count04 . mry . scruznet . com
Indexed By Thread	Previous:	Re: JAVA security problem ? From: "Paul D. Robertson" <proberts @ clark . net>
Indexed By Thread	Next:	Re: JAVA security problem ? From: Steve Gibbons <steve @ aztech . net>