Software Engineering Institute

Failures in the netscape.net package permit a Java applet to read files from the local file system by opening a connection to a URL using the "file" protocol. For example, by opening a connection to "file:///C:/somefile.txt" an intruder can read the contents of that file.

Additionally, it is possible to use this technique to open connections to resources using other types of protocols; that is, it is possible to open a connection to "http," "https," "ftp," and other types of URLs using this vulnerability.

By then using ordinary techniques, a malicious Java applet that exploits this vulnerability could subsequently send the contents of the file (or other resource) to the web server from which the applet originated.

An exploit using this technique causes the victim to establish a connection to the malicious web server (as opposed to the intruder establishing a connection to the victim). Thus typical firewall configurations fail to stop an attack of this type.

A tool written by Dan Brumleve dubbed "Brown Orifice" demonstrates this vulnerability. Brown Orifice implements an HTTP server (web server) as a Java applet and listens for connections to the victim's machine. In conjunction with the Netscape vulnerability, Brown Orifice essentially turns a web browser into a web server and allows any machine on the Internet to browse the victim's local file system. Typical firewall configurations stop this type of attack, but as noted above, they do not stop simple variations of this attack.

This vulnerability is the result of an implementation error in the JRE that comes with the Netscape browser, not an architectural problem in the Java security model.

This problem has been widely discussed in various forums on the Internet. More information is available at

http://www.securityfocus.com/bid/1546
http://www.nipc.gov/warnings/assessments/2000/assess00-052.htm
http://xforce.iss.net/alerts/advise58.php
http://www.brumleve.com/BrownOrifice (Note that this site contains a demonstration of the vulnerability, which could expose your files to intruders.)

Intruders who can entice you into running a malicious Java applet can read any file that you can read on your local or network file system. Additionally, the contents of URLs located behind a firewall can be exposed.

Organizations should weigh the risks presented by this vulnerability against their need to run Java applets. At the present time, an effective solution is to disable Java in Netscape. Historically, vulnerabilities of this type have not been widely exploited; however, this is not an indication that they can't be or that targeted attacks are not effective and possible.

For organizations that have a need to run Java applets under their own control (that is, in situations where the HTML page referencing the applet is under their control), an alternate solution is to install a Java Runtime Environment Plugin available from Sun Microsystems. More information and pointers to downloadable software is available at

http://java.sun.com/products/plugin/index.html