What is the Java applet attack vector

Details

The combination of Java applets with a firewall router can pose a security risk. Java applets are generally considered to be quite secure because they are executed on the computer in a so-called sandbox. This isolated runtime environment is intended to prevent a Java applet from accessing local files.

A firewall or NAT router (NAT: Native Address Translation) is considered by many to be the ultimate in protection against attackers from the Internet. A built-in packet filter inspects data packets arriving from the Internet and checks whether they have been requested by a computer in the local network. If this is not the case, the packets are discarded or rejected. If it is a requested packet, the router enters the internal IP address of the local target computer and lets it pass.

Florian Weimer from Stuttgart has now discovered that Java applets and firewall routers interact in surprising ways and can enable an attack. To do this, a potential victim must first be persuaded to visit a web page that loads a special Java applet. A further requirement is that a service is running on the computer to be attacked that has an exploitable security hole. Direct attempts to access this service from the Internet would be blocked by the router.

The loaded Java applet is executed in the runtime environment of the browser. This allows the applet to establish a connection back to the web server, this time on port 21 provided for FTP. The applet specifies the port of a vulnerable service on the local PC as the origin and therefore the destination of the response. Practically any service that has known vulnerabilities, such as a buffer overflow, without security updates installed is suitable for this purpose.

An FTP server on the Internet server replies to this request. From the firewall's point of view, the applet acts as an FTP client and uses an FTP command to request a table of contents from the FTP server, for example. This now sends attack packets to the port specified by the applet. The firewall router lets the packets through because it considers them to be a legitimate FTP transfer. If the service referred to in this way is actually vulnerable, the attacker can use this route to launch known attack scenarios, such as smuggling in malware.

When testing this attack method, a Linux PC was used as a NAT router. It was not examined whether commercially available firewall routers would perform better. The effectiveness of desktop firewalls as protection against such attacks was also not examined. Florian Weimer emphasizes that there is no error in the implementation of the components involved. Viewed in isolation, all of them follow the respective specification. Only the combination opens the attack channel. FTP is not the only way through the firewall, it is just an example. Internet Relay Chat (IRC) or Internet telephony are other examples of potential candidates, but have not been investigated.

For the moment, the lesson from this is that even those who think their PC is safe behind a firewall router shouldn't do without installing security updates. Switching off Java, on the other hand, is not sufficient - other active web content (ActiveX, Flash) could possibly also be used for such an attack.

Source: pcwelt.de