Java Proxy Server Crack Can Let in Superuser Attackers

By Lisa Vaas  |  Posted 2007-05-29 Print this article Print

iDefense says that an attacker doesn't need authentication to trigger the buffer overflows—only the ability to open a session with the SOCKS server.

Sun Microsystems says two buffer overflows in the SOCKS module of its Sun Java System Web Proxy Server 4.0 can give a remote attacker the privileges of a superuser. The server acts as a network traffic manager, collecting network data, figuring out where it should go and distributing it accordingly, thus cutting down on the number of requests going out to remote content servers. The server also acts as a secure gateway for content distribution. The proxy services it runs include HTTP and SOCKSv5. iDefense Labs—which Sun is crediting for alerting the company to the buffer overflows—said that remote exploitation of multiple stack-based buffer overflows in the server allows unauthenticated attackers to execute arbitrary code with superuser privileges.
Click here to read more about Symantec cracking down on piracy.
iDefense says that the problem is with the "sockd" daemon, which implements SOCKS proxy support for the Web Proxy server. The security company says that attackers can trigger a buffer overflow by manipulating certain bytes during protocol negotiation. A successful exploit will give an attacker the ability to hijack the system with the privileges of a user running "sockd." Sun says that the SOCKS server normally runs with root privileges. iDefense says that an attacker doesnt need authentication to trigger the buffer overflows—only the ability to open a session with the SOCKS server. Sun pointed out that one of the vulnerabilities—its BugID 6537736—does in fact require authentication, but the default configuration on the SOCKS server is that no authentication is required for access. "The server runs under a watchdog process which will restart the server in cases when it will fail. This allows attackers to repeatedly attempt to exploit the issue," iDefense said. Sun says that Sun Java System Web Proxy Server 4.0.4 or earlier versions are susceptible to the vulnerability. The company has released an update to address the problem in all affected platforms: SPARC, x86, Linux, Windows, HP-UX and AIX. Patches are available here. Sun says that a successful exploit wont demonstrate any predictable symptoms. A workaround is to disable the SOCKS proxy server and to use firewalls to limit access to the affected service by untrusted users. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel