Security vulnerability in cacao-oj6-plugin

[Mikko Vestola]

Hi.

During our course "T-110.5230 Special course in Practical Security of 
Information Systems" (https://noppa.tkk.fi/noppa/kurssi/t-110.5230/) in 
Helsinki University of Technology our student group found out a possible 
security vulnerability from the cacao-oj6-plugin.

The problem is that the security manager of the cacao-oj6-plugin seems 
not to block network traffic which should be blocked. What we did, was 
that we loaded our custom made Java applet containing malicious code to 
  the browser and were able to send UPnP messages with our Java applet. 
We used Firefox 3 (using the cacao-oj6-plugin) to load the applet. The 
system in use was Ubuntu 8.10.

Other Java plugins (e.g. the java plugin from Sun) do not allow to send 
UPnP messages but block them and raise a security expection. However, 
the cacao-oj6-plugin does not raise any security exceptions but happily 
sends all UPnP messages and did not warn the user in any way. Allowing 
sending UPnP messages is a great security risk since a malicious user 
can change e.g. the router's DNS server address remotely using a Java 
applet.

So we think that the developers of the plugin should check the plugin's 
security manager code and fix the problem, and also see if there are 
other security problems with it (if it allowed us to send UPnP messages, 
does it allow something else that it shouldn't?).

For more detailed information about the vulnerability we found out, 
please see the zip file in:
http://users.tkk.fi/~mvestola/cacao/cacao_plugin_vulnerability.zip

Inside the zip file is our vulnerability reports 
(vulnerability_reports.pdf). The 3rd vulnerability "ZyXEL P660H-61 UPnP 
vulnerabilities" is what you are interested in. The zip file also 
contains the Java applet which we used to send the UPnP messages (e.g. 
open the file upnp/upnp_setdnsserver.html to load the applet) so you can 
(at your own risk) try to repeat the vulnerability we found out.

---
Mikko Vestola