, SecurityFocus 2000-08-07
The latest in backdoor programs comes in through your web browser.
A new backdoor called "Brown Orifice" turns Netscape Navigator into a covert web server by exploiting devastating security holes in the browser's Java interpreter.
Gray hat hacker and Silicon Valley computer consultant Dan Brumleve released the program over the weekend to demonstrate holes he discovered that allow a Java applet to listen on an network port that is accessible to the world, and to access local files.
In concert, the holes permit Brown Orifice -- an applet that launches directly from a web page without a victim even having to click 'okay,' then allows others to surf to a victim's computer and read their files.
Less whimsically, an attacker could use Brown Orifice to covertly read anything on a victim's hard drive. A Navigator user need only visit a malicious web site to be afflicted, and the backdoor would remain open until the user exits Navigator entirely.
"This is a pretty scary bug," says the 22-year old Brumleve. "I think what I did with it is pretty cool -- it might have a lot of practical uses. The danger here is what other people might do with the same technique in the future."
Sun Microsystems crafted Java, in part, as a way for allow web-specific miniature applications, or 'applets,' that could safely run on a variety of different platforms. A rigid security model theoretically makes Java safe for surfing, because programs are forced to play in a self-contained "sandbox" where they cannot access a user's private files or reach out to the Internet. The holes exploited by Brown Orifice violate that model.
In the fall of 1998, Brumleve uncovered a JavaScript flaw in Netscape Navigator that allowed malicious web programmers to steal users' cookies and track their recent surfing history. Netscape promptly closed the hole.