- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
eEye Digital Security has discovered a stack buffer overflow in Java
WebStart, a utility installed with Java Runtime Environment for the
purpose of managing the download of Java applications. By opening a
malicious JNLP file, a user's system may be compromised by arbitrary code
within the file, which executes with the privileges of that user.
A web-based attack conducted through Internet Explorer may succeed without
the use of ActiveX or scripting, and without any additional user
interaction other than viewing a web page, if the web server indicates a
Content-Type of "application/x-java-jnlp-file" when serving up the
malicious JNLP file. In such a case, a ".jnlp" file extension is not
required.
DETAILS
Vulnerable systems:
* Java Runtime Environment 6 Update 1, and earlier
* Java Runtime Environment 5 Update 11, and earlier
Immune systems:
* Java Runtime Environment 6 Update 2
* Java Runtime Environment 5 Update 12
javaws.exe is responsible for extracting download instructions from JNLP
files, which are essentially XML. The jnlp element in the JNLP file
contains a codebase attribute. This attribute is later copied (via
sprintf) into a 1K buffer, where is it also prepended with the path to the
user's temp directory. As there is no length validation imposed prior to
sprintf, the stack-based buffer can be overflowed by whatever is passed
into the codebase. The one restriction placed on the input is that any
multi-byte characters are converted into a single '0xFF', so only
characters 0x01 through 0x7F are permissible.
To work around this vulnerability, if you are not actively using Java
WebStart, remove the .jnlp content type association in your registry:
- HKLM:Software\Classes\.jnlp
- HKLM:Software\Classes\JNLPfile
- HKLM:Software\Classes\MIME\Database\Content
Type\application/x-java-jnlp-file
By deleting or mutilating these registry keys, Java WebStart will no
longer be used to open .jnlp files, thereby mitigation this
vulnerability.
Vendor Status:
Sun Microsystems has released a patch for this vulnerability.
JRE 5 Update 12 is available at:
<http://java.sun.com/javase/downloads/index_jdk5.jsp>
http://java.sun.com/javase/downloads/index_jdk5.jsp
JRE 6 Update 2 is available at:
<http://java.sun.com/javase/downloads/index.jsp>
http://java.sun.com/javase/downloads/index.jsp
ADDITIONAL INFORMATION
The information has been provided by <mailto:Advisories@eeye.com> eEye
Advisories.
The original article can be found at:
<http://research.eeye.com/html/advisories/published/AD20070705.html>
http://research.eeye.com/html/advisories/published/AD20070705.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment