Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability
Date: 10 Jul 2007 11:06:36 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability
------------------------------------------------------------------------


SUMMARY

eEye Digital Security has discovered a stack buffer overflow in Java 
WebStart, a utility installed with Java Runtime Environment for the 
purpose of managing the download of Java applications. By opening a 
malicious JNLP file, a user's system may be compromised by arbitrary code 
within the file, which executes with the privileges of that user.

A web-based attack conducted through Internet Explorer may succeed without 
the use of ActiveX or scripting, and without any additional user 
interaction other than viewing a web page, if the web server indicates a 
Content-Type of "application/x-java-jnlp-file" when serving up the 
malicious JNLP file. In such a case, a ".jnlp" file extension is not 
required.

DETAILS

Vulnerable systems:
 * Java Runtime Environment 6 Update 1, and earlier
 * Java Runtime Environment 5 Update 11, and earlier

Immune systems:
 * Java Runtime Environment 6 Update 2
 * Java Runtime Environment 5 Update 12

javaws.exe is responsible for extracting download instructions from JNLP 
files, which are essentially XML. The jnlp element in the JNLP file 
contains a codebase attribute. This attribute is later copied (via 
sprintf) into a 1K buffer, where is it also prepended with the path to the 
user's temp directory. As there is no length validation imposed prior to 
sprintf, the stack-based buffer can be overflowed by whatever is passed 
into the codebase. The one restriction placed on the input is that any 
multi-byte characters are converted into a single '0xFF', so only 
characters 0x01 through 0x7F are permissible.

To work around this vulnerability, if you are not actively using Java 
WebStart, remove the .jnlp content type association in your registry:
 - HKLM:Software\Classes\.jnlp
 - HKLM:Software\Classes\JNLPfile
 - HKLM:Software\Classes\MIME\Database\Content 
Type\application/x-java-jnlp-file

By deleting or mutilating these registry keys, Java WebStart will no 
longer be used to open .jnlp files, thereby mitigation this
vulnerability.

Vendor Status:
Sun Microsystems has released a patch for this vulnerability.
JRE 5 Update 12 is available at:  
<http://java.sun.com/javase/downloads/index_jdk5.jsp> 
http://java.sun.com/javase/downloads/index_jdk5.jsp

JRE 6 Update 2 is available at:  
<http://java.sun.com/javase/downloads/index.jsp> 
http://java.sun.com/javase/downloads/index.jsp


ADDITIONAL INFORMATION

The information has been provided by  <mailto:Advisories@eeye.com> eEye 
Advisories.
The original article can be found at:  
<http://research.eeye.com/html/advisories/published/AD20070705.html> 
http://research.eeye.com/html/advisories/published/AD20070705.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability, SecuriTeam <=
Previous by Date:  [NT] WinPcap NPF.SYS Local Privilege Escalation Vulnerability, SecuriTeam
Next by Date:  [NT] Internet Explorer Cross Browser Vulnerabilty (FirefoxURL), SecuriTeam
Previous by Thread:  [NT] WinPcap NPF.SYS Local Privilege Escalation Vulnerability, SecuriTeam
Next by Thread:  [NT] Internet Explorer Cross Browser Vulnerabilty (FirefoxURL), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]