Security inside netscape

[ Bloke.com || Linux || JavaScript || Java || Volleyball || Link Me ]
Free: [ Guestbook || MessageBot || Plugins || Counter || AusPrices || Advertise ]

Security inside netscape

I figured a way to change the security policy inside netscape 3.0. This has been done before (for other versions), but I couldn't find anything recent.

This document just describes how to change the network access policy. To be more specific the only change it makes is to change the network policy from NETWORK_HOST to NETWORK_UNRESTRICTED.

There are several security issues in doing this especially if you are behind a firewall. However, it is here that the fix is most useful. Are you sick of applets not working behind your corporate firewall? This could be the fix for you.

Consequences: The basic bottom line, is that an applet outside the firewall has access to machines inside the firewall. So it could try to log into machines, it could use finger to find out usernames and guess passwords, it could send this information back outside the firewall. It could know how to communicate with data servers inside the firewall and manipulate them, and do all kinds of nasty things. So you better trust the applets, that you are going to run.

The good side. All those applets on the outside that you have been trying to run, now do! However, you could just use the IP address for the web page in most cases. If you don't know the IP address of a machine on the outside, you can use my nslookup program to find it out. This of course is *MUCH* safe.

How It is done!

First break out the files from the java_30 file. This is done with unzip. (unzip -d java_30). Then we look in netscape/applet for AppletSecurity.class.

If you look at the byte codes you see that in Method void reset() byte 44, this is where the variable networkMode is set to 2 (NETWORK_HOST). If we change this to 3 (NETWORK_UNRESTRICTED), then we should be set! so the byte code iconst_2 is 0x04, so if we change it to iconst_3 (0x05) all is well. Looking at the octal dump of the original class file, we see these bytes are found on line 0010720

0010720  04b5 0064 b12a 05b5 0064 b100 0000 0200

so we change this first 04, to 05, and we would then have iconst_3!

The program a.c does exactly this. Then we zip the whole thing back up again ... (without compression).

Testing It

Well telnet is a good way. Try this applet without the fix, then try it with .. telnet to a machine that you know of. Note. I didn't check that you can trust this applet, for all I know, it could be stealing you password and sending it back to the author. Telnet. In some cases you are not allowed to telnet to a machine outside the firewall, so choice something that you know you can connect to.

Files

Original AppletSecurity.class from Netscape 3.0 (from the Solaris 2.4 version) (retrieved using unzip -d java_30; cd netscape/applet ; mv AppletSecurity.class AppletSecurity.class.orig)
The text verision of the byte code generated by javap -c netscape.applet.AppletSecurity
Octal dump (in hex) of the byte codes generated from od -x AppletSecurity.class.orig
C code used to modify class
The modified AppletSecurity.class file. Generated by ./a < AppletSecurity.class.orig > AppletSecurity.class
The modified java_30.bloke file. (need to copy this to java_30 in the right place). Generated by zip -rn .class:.Z java_30.bloke 96223.class java netscape sun

Java is a registered trademark of Sun Microsystems, Inc.

Cameron Gregory - cameron@bloke.com