exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

EEYE-Java.txt

EEYE-Java.txt
Posted Jul 10, 2007
Authored by Daniel Soeder | Site eeye.com

eEye Digital Security has discovered a stack buffer overflow in Java WebStart, a utility installed with Java Runtime Environment for the purpose of managing the download of Java applications. By opening a malicious JNLP file, a user's system may be compromised by arbitrary code within the file, which executes with the privileges of that user. Systems affected are Java Runtime Environment 6 update 1 and below and Java Runtime Environment 5 update 11 and below.

tags | advisory, java, overflow, arbitrary
SHA-256 | 4634c67fe886c62ca9877c8e797c11203f134b24b6f4f56bbd706b71a5db40d7

EEYE-Java.txt

Change Mirror Download
Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability

Release Date:
July 5, 2007

Date Reported:
Jan 19, 2007

Severity:
High (Remote Code Execution)

Vendor:
Sun Microsystems

Systems Affected:
Java Runtime Environment 6 Update 1, and earlier
Java Runtime Environment 5 Update 11, and earlier

Overview:
[Sun is one of the few companies that is still unable to coordinate the
simultaneous release of security patches, this organizational failure
puts customers at undue risk. Sun first released a patch for this
vulnerability on June 28th for Java Runtime Environment 5, as Update 12.
Now over a week later Sun has finally released the rest of the Java 6
updates for affected systems. People have potentially had over a week to
develop exploits for this vulnerability before Sun finally released a
patch for Java 6, which is the current download of Java. eEye strongly
recommends people install this patch as soon as possible. Hopefully in
the future Sun will be able to bring their security and development
process out of the dark ages. -Marc Maiffret]

eEye Digital Security has discovered a stack buffer overflow in Java
WebStart, a utility installed with Java Runtime Environment for the
purpose of managing the download of Java applications. By opening a
malicious JNLP file, a user's system may be compromised by arbitrary
code within the file, which executes with the privileges of that user.

A web-based attack conducted through Internet Explorer may succeed
without the use of ActiveX or scripting, and without any additional user
interaction other than viewing a web page, if the web server indicates a
Content-Type of "application/x-java-jnlp-file" when serving up the
malicious JNLP file. In such a case, a ".jnlp" file extension is not
required.

Technical Details:
javaws.exe is responsible for extracting download instructions from JNLP
files, which are essentially XML. The jnlp element in the JNLP file
contains a codebase attribute. This attribute is later copied (via
sprintf) into a 1K buffer, where is it also prepended with the path to
the user's temp directory. As there is no length validation imposed
prior to sprintf, the stack-based buffer can be overflowed by whatever
is passed into the codebase. The one restriction placed on the input is
that any multi-byte characters are converted into a single '0xFF', so
only characters 0x01 through 0x7F are permissible.

To work around this vulnerability, if you are not actively using Java
WebStart, remove the .jnlp content type association in your registry:
- HKLM:Software\Classes\.jnlp
- HKLM:Software\Classes\JNLPfile
- HKLM:Software\Classes\MIME\Database\Content
Type\application/x-java-jnlp-file

By deleting or mutilating these registry keys, Java WebStart will no
longer be used to open .jnlp files, thereby mitigation this
vulnerability.


Protection:
Retina - Network Security Scanner has been updated to identify this
vulnerability.
Blink - Unified Client Security has proactively protected from this
vulnerability since its discovery.

Vendor Status:
Sun Microsystems has released a patch for this vulnerability.
JRE 5 Update 12 is available at:
http://java.sun.com/javase/downloads/index_jdk5.jsp
JRE 6 Update 2 is available at:
http://java.sun.com/javase/downloads/index.jsp

Credit:
Daniel Soeder

Related Links:
Retina - Network Security Scanner - Free Trial:
http://www.eeye.com/html/products/retina/download/index.html
Blink - Unified Client Security Personal - Free For Home Use:
http://www.eeye.com/html/products/blink/personal/download/index.html
Blink - Unified Client Security Professional - Free Trial:
http://www.eeye.com/html/products/blink/download/index.html

Greetings:
Derek for his heap clutter and counting idea. My homies in TX.
Panzarotti. McSlibin keep on rocking. Talis and Reverse - miss you
guys.

Copyright (c) 1998-2007 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information. In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at the
user's own risk.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close