发布时间 :2000-10-20 00:00:00
修订时间 :2008-09-05 16:21:42

[原文]Netscape Communicator does not properly prevent a ServerSocket object from being created by untrusted entities, which allows remote attackers to create a server on the victim's system via a malicious applet, as demonstrated by Brown Orifice.

[CNNVD]Netscape Communicator创建ServerSocket工程漏洞(CNNVD-200010-071)

        Netscape Communicator不正确保护包含由不可信实体创建的ServerSocket工程。远程攻击者可以借助恶意applet在受害者系统上创建服务器,正如Brown Orifice。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:netscape:communicator:4.04Netscape Communicator 4.04
cpe:/a:netscape:communicator:4.6Netscape Communicator 4.6
cpe:/a:netscape:communicator:4.08Netscape Communicator 4.08
cpe:/a:netscape:communicator:4.5Netscape Communicator 4.5
cpe:/a:netscape:communicator:4.74Netscape Communicator 4.74
cpe:/a:netscape:communicator:4.73Netscape Communicator 4.73
cpe:/a:netscape:communicator:4.07Netscape Communicator 4.07
cpe:/a:netscape:communicator:4.06Netscape Communicator 4.06
cpe:/a:netscape:communicator:4.05Netscape Communicator 4.05
cpe:/a:netscape:communicator:4.72Netscape Communicator 4.72
cpe:/a:netscape:communicator:4.51Netscape Communicator 4.51
cpe:/a:netscape:communicator:4.0Netscape Communicator 4.0
cpe:/a:netscape:communicator:4.61Netscape Communicator 4.61
cpe:/a:netscape:communicator:4.7Netscape Communicator 4.7

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  BUGTRAQ  20000816 JDK 1.1.x Listening Socket Vulnerability (was Re: BrownOrifice can break firewalls!)
(VENDOR_ADVISORY)  BUGTRAQ  20000805 Dangerous Java/Netscape Security Hole

- 漏洞信息

Netscape Communicator创建ServerSocket工程漏洞
高危 未知
2000-10-20 00:00:00 2005-08-17 00:00:00
        Netscape Communicator不正确保护包含由不可信实体创建的ServerSocket工程。远程攻击者可以借助恶意applet在受害者系统上创建服务器,正如Brown Orifice。

- 公告与补丁


- 漏洞信息 (20139)

Sun JDK 1.1.x,Sun JRE 1.1.x Listening Socket Vulnerability (EDBID:20139)
multiple remote
2000-08-03 Verified
0 Alexey Yarovinsky
N/A [点击下载]

A set of flaws in multiple vendors' Java implementation allows a malicious applet to open a listening socket to accept network connections against the security policy.

Java applications use the class to create a listening network socket on which to accept network connections. The server socket class should use the SecurityManager.checkListen() method to determine whether a class is allowed to create a server side listening socket. A SecurityException should be thrown if the class is not allowed to create such socket. By default untrusted classes such as applets should not be allowed to create such sockets. The implementation of Java fails to throw a SecurityException when an applet create a ServerSocket.

After a ServerSocket object has been created an application must accept network connections by called the ServerSocket.accept() method or by subclassing the ServerSocket class an using the ServerSocket.implAccept() method of ServerSocket to implement their own accept method. The ServerSocket.accept() method normally calls the SecurityManager.checkAccept() method to determine if a class can accept a server connection.

The ServerSocket.accept() and the ServerSocket.implAccept() methods both accept the network connection before determining if the class can accept the connection. This is done to determine the remote address and remote port number of the connection. If the connection should not be accepted these methods shutdown the connection by calling the socket's Socket.close() method, and then throwing a SecurityException.

Because the ServerSocket.implAccept() method takes as an argument a Socket object to use for the connection a malicious class can pass it an object which is subclass of the Socket class that overloads its close() method not to close the socket. By then ignoring the SecurityException the malicious class can now accept the connection and make use of the socket.

Sun's implementation of the ServerSocket.implAccept() method seems to have closed the second vulnerability by calling the Socket.impl.close() method instead of the Socket.close() method.

By combining these two flaws a malicious applet can accept connections from any host.

Both Netscape and Microsoft Java Virtual Machines are affected by this vulnerability, however in Microsoft products the file: URL type will not be effective in reading files, meaning that only web-available documents can be retreived via this method. However, the file: method will verify the existence of a file. It will check to see if the file exists and if it does not, it will return a SecurityException error message. Netscape browsers will pass both web documents and local files to the attacker.		

- 漏洞信息

Multiple Vendor JVM ServerSocket Object Privilege Escalation
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-08-05 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete