what you don't know can hurt you

n.runs-SA-2007.007.txt

n.runs-SA-2007.007.txt
Posted Apr 19, 2007
Authored by Frank Dick | Site nruns.com

A remote exploitable format string vulnerability has been identified in the in the Sun Java Web Console. According to the Sun Security Coordination Team, Solaris 10 Operating System, Sun Java Web Console 2.2.2, Sun Java Web Console 2.2.3, Sun Java Web Console 2.2.4 and Sun Java Web Console 2.2.5 are affected.

tags | advisory, java, remote, web
systems | solaris
advisories | CVE-2007-1681
MD5 | f683ae2fcf22380124bf98ce1d61b2a3

n.runs-SA-2007.007.txt

Change Mirror Download
n.runs AG
http://www.nruns.com/ security at
nruns.com
n.runs-SA-2007.007
18-Apr-2007

____________________________________________________________________________
___

Vendor: Sun Microsystems, Inc., http://www.sun.com
Affected Products: Solaris 10, Java Web Console 2.2.2 - 2.2.5
Vulnerability: Format string vulnerability

Risk: HIGH
CVE ID: CVE-2007-1681
Sun Alert ID: 102854
SUN bug ID: 6505096


Vendor communication:

2006/12/10 Initial notification of the Sun Security
Coordination
Team.
2006/12/15 Sending reminder.
2006/12/15 Sun provides feedback about the further procedure.
2006/12/23 Sun confirms vulnerability and assigns bug ID.
2007/02/06 Requesting update.
2007/02/07 Sun provides feedback.
Fix for the most recent version ready.
2007/02/14 Sun informs n.runs that the fix for Sun Java Web
Console 2.2.4 has been approved and will soon be
integrated. Fixes were identified for all other
vulnerable versions.
2007/03/05 Requesting update.
2007/03/07 Sun awaits patch generation and the start of
testing cycles.
2007/03/20 Sun informs n.runs that patches will be released for
Solaris 10. Unbundled versions have to be upgraded
to
version 2.2.6.
2007/03/25 Requesting Sun Alert draft.
2007/03/31 Sun sends draft of Sun Alert. Patches have been
completed and the upgrade release is in work.
2007/04/14 Sun sents public disclosure date.


Systems Affected:

According to the Sun Security Coordination Team, Solaris 10 Operating
System,
Sun Java Web Console 2.2.2, Sun Java Web Console 2.2.3, Sun Java Web Console
2.2.4 and Sun Java Web Console 2.2.5 are affected.

The existence of the vulnerability was verified by n.runs on fully-patched
installations of Solaris 10 6/06 on SPARC and x86 Platform running Sun Java
Web Console 2.2.4.


Overview:

A remote exploitable format string vulnerability has been identified in the
in
the Sun Java Web Console [1].


Description:

The Sun Java Web Console is vulnerable to a format string vulnerability.
The root cause of the format string vulnerability lies in the logging of
failed
logins, therefore this vulnerability is exploitable by unauthenticated
remote
users.

The vulnerability exists as the libc syslog function is called in
/usr/lib/libwebconsole_services.so with two (2) instead of at least three
(3)
arguments which enables an attacker to influence the message buffer.


Impact:

The exploitation of this vulnerability may result in unauthorised remote
code
execution or cause a denial of service condition by crashing the Java Web
Console service.


Solution:

Update to Sun Java Web Console 2.2.6 or later.
Patches for Solaris 10 were released by SUN Microsystems to address this
issue,
a workaround designed by Sun Microsystems is available. [2]


Credit:

Vulnerability found by Frank Dick of n.runs AG.
Additional credits to Felix Lindner of Sabre Labs GmbH for supporting the
vulnerability research.


References:

[1] http://docs.sun.com/app/docs/doc/817-1985/6mhm8o5kh?a=view
[2] http://sunsolve.sun.com/search/document.do?assetkey=1-26-102854-1
____________________________________________________________________________
___

Unaltered electronic reproduction of this advisory is permitted. For all
other
reproduction or publication, in printing or otherwise, contact
security@nruns.com for permission.
Use of the advisory constitutes acceptance for use in an "as is" condition.
All warranties are excluded. In no event shall n.runs be liable for any
damages
whatsoever including direct, indirect, incidental, consequential, loss of
business profits or special damages, even if n.runs has been advised of the
possibility of such damages.

Copyright 2007 n.runs AG. All rights reserved. Terms of apply.


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    22 Files
  • 20
    Mar 20th
    14 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    17 Files
  • 23
    Mar 23rd
    1 Files
  • 24
    Mar 24th
    1 Files
  • 25
    Mar 25th
    16 Files
  • 26
    Mar 26th
    21 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close