• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Multiple Vendor Java Virtual Machine Listening Socket Vulnerability

Severity: MODERATE

Description:

A set of flaws in multiple vendors' Java implementation allows a malicious applet to open a listening socket to accept network connections against the security policy.

Java applications use the java.net.ServerSocket class to create a listening network socket on which to accept network connections. The server socket class should use the SecurityManager.checkListen() method to determine whether a class is allowed to create a server side listening socket. A SecurityException should be thrown if the class is not allowed to create such socket. By default untrusted classes such as applets should not be allowed to create such sockets. The implementation of Java fails to throw a SecurityException when an applet create a ServerSocket.

After a ServerSocket object has been created an application must accept network connections by called the ServerSocket.accept() method or by subclassing the ServerSocket class an using the ServerSocket.implAccept() method of ServerSocket to implement their own accept method. The ServerSocket.accept() method normally calls the SecurityManager.checkAccept() method to determine if a class can accept a server connection.

The ServerSocket.accept() and the ServerSocket.implAccept() methods both accept the network connection before determining if the class can accept the connection. This is done to determine the remote address and remote port number of the connection. If the connection should not be accepted these methods shutdown the connection by calling the socket's Socket.close() method, and then throwing a SecurityException.

Because the ServerSocket.implAccept() method takes as an argument a Socket object to use for the connection a malicious class can pass it an object which is subclass of the Socket class that overloads its close() method not to close the socket. By then ignoring the SecurityException the malicious class can now accept the connection and make use of the socket.

Sun's implementation of the ServerSocket.implAccept() method seems to have closed the second vulnerability by calling the Socket.impl.close() method instead of the Socket.close() method.

By combining these two flaws a malicious applet can accept connections from any host.

Both Netscape and Microsoft Java Virtual Machines are affected by this vulnerability, however in Microsoft products the file: URL type will not be effective in reading files, meaning that only web-available documents can be retreived via this method. However, the file: method will verify the existence of a file. It will check to see if the file exists and if it does not, it will return a SecurityException error message. Netscape browsers will pass both web documents and local files to the attacker.

Affected Products:

• Microsoft Internet Explorer 4.0.0
• Microsoft Internet Explorer 4.0.0 for Windows 95
• Microsoft Internet Explorer 4.0.0 for Windows NT 3.51
• Microsoft Internet Explorer 4.0.0 for Windows NT 4.0
• Microsoft Internet Explorer 5.0 for Windows 2000
• Microsoft Internet Explorer 5.0 for Windows 95
• Microsoft Internet Explorer 5.0 for Windows 98
• Microsoft Internet Explorer 5.0 for Windows NT 4.0
• Microsoft Internet Explorer 5.0.1
• Microsoft Virtual Machine 2000 Series 0.0.0
• Microsoft Virtual Machine 3100 Series 0.0.0
• Microsoft Virtual Machine 3200 Series 0.0.0
• Microsoft Virtual Machine 3300 Series 0.0.0
• Netscape Communicator 0.0.04.06
• Netscape Communicator 0.0.04.07
• Netscape Communicator 0.0.04.08
• Netscape Communicator 4.0.0
• Netscape Communicator 4.4.0
• Netscape Communicator 4.5.0
• Netscape Communicator 4.51.0
• Netscape Communicator 4.6.0
• Netscape Communicator 4.61.0
• Netscape Communicator 4.7.0
• Netscape Communicator 4.72.0
• Netscape Communicator 4.73.0
• Netscape Communicator 4.74.0
• Sun JDK (Solaris Production Release) 1.1.6
• Sun JDK (Solaris Production Release) 1.1.7 B
• Sun JDK (Solaris Production Release) 1.1.8
• Sun JDK (Solaris Production Release) 1.1.8 _009
• Sun JDK (Solaris Production Release) 1.1.8 _10
• Sun JDK (Solaris Production Release) 1.1.8 _11
• Sun JDK (Solaris Reference Release) 1.1.6 _007
• Sun JDK (Solaris Reference Release) 1.1.7 B_005
• Sun JDK (Windows Production Release) 1.1.6 _007
• Sun JDK (Windows Production Release) 1.1.7 B_005
• Sun JDK (Windows Production Release) 1.1.8 _002
• Sun JRE (Solaris Production Release) 1.1.6
• Sun JRE (Solaris Production Release) 1.1.7 B
• Sun JRE (Solaris Production Release) 1.1.8
• Sun JRE (Solaris Production Release) 1.1.8 _009
• Sun JRE (Solaris Production Release) 1.1.8 _10
• Sun JRE (Windows Production Release) 1.1.8
• Sun Solaris 2.6
• Sun Solaris 2.6_x86
• Sun Solaris 7.0
• Sun Solaris 7.0_x86
• Sun Solaris 8
• Sun Solaris 8_x86

References:

• Alexey Yarovinsky: Microsoft Explorer Java Security BUG
• Dan Brumleve <dan+security@brumleve.com>: Brown Orifice
• Microsoft: Frequently Asked Questions: Microsoft Security Bulletin (MS00-059)
• Sun: Sun Alert ID: 23604

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.