, SecurityFocus 2000-08-07
The latest in backdoor programs comes in through your web browser.
“
It might have a lot of practical uses.
”
Gray hat hacker and Silicon Valley computer consultant Dan Brumleve released the program over the weekend to demonstrate holes he discovered that allow a Java applet to listen on an network port that is accessible to the world, and to access local files.
In concert, the holes permit Brown Orifice -- an applet that launches directly from a web page without a victim even having to click 'okay,' then allows others to surf to a victim's computer and read their files.
Less whimsically, an attacker could use Brown Orifice to covertly read anything on a victim's hard drive. A Navigator user need only visit a malicious web site to be afflicted, and the backdoor would remain open until the user exits Navigator entirely.
"This is a pretty scary bug," says the 22-year old Brumleve. "I think what I did with it is pretty cool -- it might have a lot of practical uses. The danger here is what other people might do with the same technique in the future."
Sun Microsystems crafted Java, in part, as a way for allow web-specific miniature applications, or 'applets,' that could safely run on a variety of different platforms. A rigid security model theoretically makes Java safe for surfing, because programs are forced to play in a self-contained "sandbox" where they cannot access a user's private files or reach out to the Internet. The holes exploited by Brown Orifice violate that model.
In the fall of 1998, Brumleve uncovered a JavaScript flaw in Netscape Navigator that allowed malicious web programmers to steal users' cookies and track their recent surfing history. Netscape promptly closed the hole.
