Sun Java Web Console Format String Bug Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1017930|
SecurityTracker URL: http://securitytracker.com/id/1017930
(Links to External Site)
Date: Apr 18 2007
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 2.2.2 - 2.2.5|
A vulnerability was reported in Sun Java Web Console. A remote user can execute arbitrary code on the target system.|
A remote user can send specially crafted login data to trigger a format string flaw when syslog is called and execute arbitrary code on the target system. The code will run with the privileges of the target service.
The vendor was notified on December 15, 2007.
Frank Dick of n.runs AG discovered this vulnerability and Felix Lindner of Sabre Labs GmbH provided additional research.
A remote user can execute arbitrary code on the target system.|
Sun has issued a fixed version (2.2.6), available at:|
The Sun advisory is available at:
Vendor URL: sunsolve.sun.com/search/document.do?assetkey=1-26-102854-1 (Links to External Site)
Input validation error, State error|
|Underlying OS: Linux (Any), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (2000), Windows (2003), Windows (XP)|
Source Message Contents
Subject: n.runs-SA-2007.007 - Sun Solaris 10 - Format string vulnerability|
http://www.nruns.com/ security at
Vendor: Sun Microsystems, Inc., http://www.sun.com
Affected Products: Solaris 10, Java Web Console 2.2.2 - 2.2.5
Vulnerability: Format string vulnerability
CVE ID: CVE-2007-1681
Sun Alert ID: 102854
SUN bug ID: 6505096
2006/12/10 Initial notification of the Sun Security
2006/12/15 Sending reminder.
2006/12/15 Sun provides feedback about the further procedure.
2006/12/23 Sun confirms vulnerability and assigns bug ID.
2007/02/06 Requesting update.
2007/02/07 Sun provides feedback.
Fix for the most recent version ready.
2007/02/14 Sun informs n.runs that the fix for Sun Java Web
Console 2.2.4 has been approved and will soon be
integrated. Fixes were identified for all other
2007/03/05 Requesting update.
2007/03/07 Sun awaits patch generation and the start of
2007/03/20 Sun informs n.runs that patches will be released for
Solaris 10. Unbundled versions have to be upgraded
2007/03/25 Requesting Sun Alert draft.
2007/03/31 Sun sends draft of Sun Alert. Patches have been
completed and the upgrade release is in work.
2007/04/14 Sun sents public disclosure date.
According to the Sun Security Coordination Team, Solaris 10 Operating
Sun Java Web Console 2.2.2, Sun Java Web Console 2.2.3, Sun Java Web Console
2.2.4 and Sun Java Web Console 2.2.5 are affected.
The existence of the vulnerability was verified by n.runs on fully-patched
installations of Solaris 10 6/06 on SPARC and x86 Platform running Sun Java
Web Console 2.2.4.
A remote exploitable format string vulnerability has been identified in the
the Sun Java Web Console .
The Sun Java Web Console is vulnerable to a format string vulnerability.
The root cause of the format string vulnerability lies in the logging of
logins, therefore this vulnerability is exploitable by unauthenticated
The vulnerability exists as the libc syslog function is called in
/usr/lib/libwebconsole_services.so with two (2) instead of at least three
arguments which enables an attacker to influence the message buffer.
The exploitation of this vulnerability may result in unauthorised remote
execution or cause a denial of service condition by crashing the Java Web
Update to Sun Java Web Console 2.2.6 or later.
Patches for Solaris 10 were released by SUN Microsystems to address this
a workaround designed by Sun Microsystems is available. 
Vulnerability found by Frank Dick of n.runs AG.
Additional credits to Felix Lindner of Sabre Labs GmbH for supporting the
Unaltered electronic reproduction of this advisory is permitted. For all
reproduction or publication, in printing or otherwise, contact
email@example.com for permission.
Use of the advisory constitutes acceptance for use in an "as is" condition.
All warranties are excluded. In no event shall n.runs be liable for any
whatsoever including direct, indirect, incidental, consequential, loss of
business profits or special damages, even if n.runs has been advised of the
possibility of such damages.
Copyright 2007 n.runs AG. All rights reserved. Terms of apply.