We've already looked at one of the two big problems posed by anti DNS pinning on Java applets; because there's rebinding on the applet and not the browser you can open a channel from an Internet host to an internal system (this is also true of Flash, of course).

The other problem is that, over the past decade, people have been developing a massive body of Java code to do just about anything. For example, there's:

• JCIFS for CIFS/SMB if you want to talk to windows file servers - can attackers use null sessions to gather information on your systems?
  
• JDBC if you want to talk to a database (just pick your driver) - all of your developers change the passwords on their local MySQL installation, right?
  
• DNSJava if you want to do zone transfers, etc. from a DNS server - no-one bothers preventing zone transfers on internal DNS; should we?
  
• JavaMail if you want to talk to a mail server - do you prevent relay from internal hosts?
  
• libraries to support CVS, Subversion, and
• thousands of other things there's not time to mention.

These things are all really useful in the right context, but combine them with the proxy bypass or LiveConnect anti DNS pinning attacks and you can see how easy things have just got for attackers.

Add a comment

Posted by Mark Goodwin on 16 August 2007 23:02:00 BST #