Various covert channels exist in browsers which allow applets to establish two way communication with arbitrary third parties on the Internet. A two party attack requires that the Web server the applet resides on participate in the attack. A three party attack can originate from anywhere on the Internet, and might spread if it is hidden in a useful applet that gets used by many Web pages. Three party attacks are more dangerous than two party attacks because they do not need the collusion of the Web server.
The accept()
system call, used to receive a network connection initiated
on another host, is not protected by the usual security checks in HotJava. This
allows an arbitrary host on the Internet to connect to a HotJava browser
as long as the location of the browser is known. For this to be a useful
attack, the applet needs to signal the external agent to connect to a specified
port. Even a low bandwidth covert channel is sufficient to communicate this
information.
If the Web server which served the applet is running an SMTP mail daemon, the applet can connect to it and transmit an email message to any machine on the Internet. Additionally DNS can be used as a two way communication channel to an arbitrary host on the Internet. An applet might reference a fictitious name in the attacker's domain. This transmits the name to the attacker's DNS server, which could interpret the name as a message, and then send a list of arbitrary 32-bit IP numbers as a reply. Repeated DNS calls by the applet establish a channel between the applet and the attacker's DNS server. This channel can also pass through firewalls.[Dean]
Another third-party channel is available with the URL redirect feature. Normally, an applet may instruct the browser to load any page on the Web. An attacker's server could record the URL as a message, then redirect the browser to the original destination.
Copyright © 1996 Virginia Polytechnic Institute & State University
All Rights Reserved
Vijay Sureshkumar
<vijay@csgrad.cs.vt.edu>
Last modified: Sun Oct 20 21:52:09 1996