- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Sun's Java Web Start Arbitrary File Writing
------------------------------------------------------------------------
SUMMARY
John Heasman of NGSSoftware has discovered a high risk vulnerability in
Sun Microsystem's Java Web Start that ships with the JRE and JDK on
Windows platforms.
This vulnerability permits an untrusted Java Web Start application to
overwrite any file that can be accessed under the application user
context. This ultimately enables an untrusted application to break out of
the sandbox by modifying the user's Java security policy. An untrusted
application could be launched via a malicious web page.
DETAILS
Vulnerable Systems:
* Java Web Start in JDK and JRE version 5.0 Update 11 and earlier
* Java Web Start in SDK and JRE version 1.4.2_13 and earlier
The JNLP API defines a set of services that bypass the security sandbox to
enable some common client operations. The BasicService is used to discover
the application's codebase. Then, the PersistenceService caches content on
the local hard drive, keyed to a URL that is relative to the application's
base. The name/value pairs provided by the PersistenceService are similar
to browser cookies. The Java Web Start implementation honors this legacy
by naming the pairs "muffins".
Arbitrary files can be written to due to a directory traversal flaw in the
PersistenceService.
Impact:
A vulnerability in Java Web Start may allow an untrusted application to
grant itself permissions to overwrite any file that is writable by the
user running the application. This would include the user's .java.policy
file which would allow the application to invoke applets or Java Web Start
applications that can execute arbitrary code with the permissions of the
user running the untrusted application.
Relief/Workaround:
To work around the described issue, disable Java Web Start applications
from being launched from a web browser as follows:
* Internet Explorer:
1. Right click on the "Start" button and select "Explore"
2. In the "Start Menu" window, select "Tools" => "Folder Options"
3. From the "Folder Options" window, select the "File Types" tab
4. From the "Registered File Types" window, scroll down and locate the
"JNLP - JNLP File"
5. Select the "JNLP - JNLP File" and click the "Delete" button
* Mozilla:
1. Select "Preferences" under the browser's "Edit" menu
2. In the "Preferences" window, select "Helper Applications" located under
the "Navigator" category
3. Under "Files types", scroll down and locate
"application/x-java-jnlp-file"
4. Select "application/x-java-jnlp-file" and click the "Remove" button
Notes:
1. On Windows, applications may also be launched from the desktop icon or
from the "Start" menu if a shortcut was previously created for an
application. Unknown applications should not be launched through the
desktop icon or the Start Menu. Shortcuts can be removed by using the Java
Web Start Application Manager through the "Application/Remove Shortcut"
menu item. For more information, see:
<http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguide/overview.html#jws> http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguide/overview.html#jws
2. It is also possible to launch applications through the command line in
Windows. Unknown applications should not be launched through the command
line. Sites may consider renaming the Java Web Start launcher
("javaws.exe" for Windows) to prevent Java Web Start from launching.
The launcher can be found at:
* Windows:
C:\Program Files\java\j2re1.5.0\javaws\javaws.exe
Resolution/Solution:
This issue is addressed in the following releases:
Windows Platform
* Java Web Start in JDK and JRE version 5.0 Update 12 or later
* Java Web Start in SDK and JRE version 1.4.2_14 or later
J2SE 5.0 is available for download at the following link:
<http://java.sun.com/j2se/1.5.0/download.jsp>
http://java.sun.com/j2se/1.5.0/download.jsp
J2SE 1.4.2 is available for download at the following link:
<http://java.sun.com/j2se/1.4.2/download.html>
http://java.sun.com/j2se/1.4.2/download.html
ADDITIONAL INFORMATION
The information has been provided by <mailto:nisr@ngssoftware.com>
NGSSoftware Insight Security Research.
The original article can be found at:
<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102957-1>
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102957-1
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment