OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Exploiting any network protocol with secondary datachannelsopened from the server
From: Mikael Olsson (mikael.olssonENTERNET.SE)
Date: Wed Apr 05 2000 - 03:53:35 CDT

Ralf-Philipp Weinmann wrote:
>
> On Sun, 19 Mar 2000, Mikael Olsson wrote:
>
> > If you're allowed to issue "bind(socket,sockaddr);" equivalent requests
> > in Java, you can loop requests from local ports 0 to 65535 and see
> > which ones you are NOT allowed to bind.
>
> java.net.ServerSocket(portnumber) can be used for bind()ing a port.
> [snip]
> I just tested it and it works (Netscape 4.0x under linux).

I finally got hold of a java compiler and compiled your sources. Tested
under MSIE 4 and 5 (Java VM v4.7x and v5.00 respectively) but they refused
any ServerSocket() operation - throws SecurityException as soon as
I try to create the socket.

Netscape 4.6 and 4.7 under WinNT happily allows creation of the ServerSockets
as long as they are 1024 or higher, but they never fail (i.e. it looks
like there are no open ports). I don't know why yet. Either it simply does
not bind the port, or maybe it hijacks bindings previous apps have done,
that is, setsockopt(SO_REUSEADDR) equivalent.
If it's the latter, it's somewhat bad but in a different way :-)

Did you actually find any open ports in your testing under linux?

/Mike 

--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 105 50           Fax: +46 (0)660 122 50
Mobile: +46 (0)70 66 77 636
WWW: http://www.enternet.se        E-mail: mikael.olssonenternet.se