The Java/Firewall vulnerability

The Java sandbox for applets and stateful firewalls interact in a surprising way. As a result, external hosts can initiate TCP connections to supposedly protected network services.

Attack Requirements

This is a passive attack. The attacker must lure the victim to a carefully crafted web page. The victim's web browser must download and execute the embedded Java applet. The victim's computer must offer some vulnerable networking service, and a stateful firewall must prevent access to this service from the Internet.

Impact

An attacker can gain access to potentially vulnerable network services which are located behind firewall and/or NAT devices, so that direct access is impossible.

Severity

This is a passive vulnerability which can only be used as a stepstone for further attacks. As a result, the risk posed by this vulnerability alone is fairly low.

Technical Description

The attack is carried out as follows.

  1. The attacker creates a specifically crafted web site.

  2. She lures the victim to visit this web site.

  3. The victim's browser downloads the applet and begins to run it.

  4. The applet initiates a TCP connection back to the originating web server, on port 21 (used by FTP, RFC 959 <http://www.rfc-editor.org/rfc/rfc959.txt>). This connection is permitted according to the standard Java sandbox model for applets <http://docs.oracle.com/javase/tutorial/deployment/applet/security.html>.

  5. A FTP server on the same machine that hosts the originating web site answers.

  6. The applet continues to pose as an FTP client, logs in and issues an FTP PORT command, which prepares an active FTP connection. The TCP port specified in the command refers to some existing TCP service, such as 445/TCP (SMB over TCP) or 1433/TCP (Microsoft SQL Server, MSDE). This port is chosen by the attacker.

  7. The firewall between the attacker and the victim recognizes this command and prepares to open a second connection for the FTP data transfer.

  8. The applet issues a FTP command which requests the data transfer, for example a LIST command.

  9. The attacker uses her server to initiate a TCP connection to the port indicated in the PORT on the victim host. The firewall passes through the connection, assuming that it is a legitimate FTP data transfer.

This attack exploits the fact that the Java security model for applet assumes that arbitrary TCP connections back to the server pose no risks. However, the presence of stateful firewalls or NAT devices with heuristic FTP protocol modules between the involved hosts invalidates this assumption because TCP connections back to the originating servers do have side effects.

This is not an error in the Java implementation or in the firewall implementation. Both programs implement their respective specifications. Even the specifications themselves are not inherently flawed. Only the combination of these two components creates a vulnerable configuration. This stresses an important point about secure systems: Security does not compose, and classic divide-and-conquer approaches do not necessarily result in complete systems which are secure.

The attack differs from previous attacks using HTTP GET or POST requests to ports such as 21/FTP (see Mikael Olsson, Extending the FTP "ALG" vulnerability to any FTP client <https://listserv.icsalabs.com/pipermail/firewall-wizards/2000-March/008251.html>, March 2000). Such attacks could be detected by the firewall and stopped. In contrast, the Java applet could implement a fully-compliant FTP client, and the firewall cannot tell whether an FTP data transfer was initiated by a rogue Java applet or a legitimate FTP client controlled by the user.

However, this issue has been previously described in Phrack's issue 60 (Linenoise: Java Tears down the Firewall <http://phrack.org/issues.html?issue=60&id=3>, December 2002).

Workarounds

Note that in principle, this vulnerability is not specific to Java or FTP protocol helpers (see below). A more general approach to eradicate this problem is therefore necessary.

Proof of concept

A simple TCP server which emulates FTP and a corresponding Java applet is provided.

For convenience, the TCP port to which access from the web/FTP server is provided can be configured on the client. In a real attack scenario, this port would be chosen by the attacker.

Open questions

Some questions need further examination.

Acknowledgments

Bastian Blank wrote the Java applet which demonstrates this exploitation technology. The applet contains source code copied from the GNU Classpath project.

Revisions


Florian Weimer
Home Blog (DE) Blog (EN) Impressum RSS Feeds