Anonymous Living

On 3 October 2007, Sun announced several critical security updates for
the Java Runtime Environment. In particular, describes how network access restrictions can be circumvented to connect to arbitrary hosts by utilizing DNS rebinding. The paper at Stanford University’s Protecting Browsers from DNS Rebinding Attacks page summarizes some of the current research into the issues of DNS rebinding.

Java exposes a programmatic sockets interface, and a malicious applet can construct properly formed control port commands. If the control port is enabled with the NULL authentication and accessible to the web browser, the malicious applet can authenticate and send arbitrary commands.

To summarize, Tor users with the following conditions may be at risk:

• vulnerable version of Java enabled in web browser
• control port enabled with NULL authentication and accessible

Use of proxy switching browser add-ons (e.g., Torbutton, FoxyProxy)
may increase this risk if the Java Virtual Machine can perform
arbitrary DNS resolution through the native operating system resolver.

Possible workarounds:

• disable Tor control port
• if control port is required, use ‘HashedControlPassword’ option
• disable Java in the web browser and/or uninstall from OS
• If Java is required, consider a virtual machine solution such as JanusVM or firewalled environment that only allows DNS requests through web browser

The latest Java downloads are available at http://java.com/ or http://pseudo-flaw.net/tor/attacking-tor-control-port-with-java/.