Java Web Start JNLP Stack Overflow Lets Remote Users
SecurityTracker Alert ID: 1018346|
SecurityTracker URL: http://securitytracker.com/id/1018346
(Links to External Site)
Updated: Aug 8 2007|
Original Entry Date: Jul 10 2007
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): JRE 6 Update 1 and prior versions, 5 Update 11 and prior versions|
A vulnerability was reported in Java Web Start. A remote user can cause arbitrary code to be executed on the target user's system.|
A remote user can create a specially crafted JNLP file that, when loaded by the target user, will trigger a stack overflow and execute arbitrary code on the target system. The code will run with the privileges of the target user.
This can be exploited via HTML without user interaction.
The vendor was notified on January 19, 2007.
Daniel Soeder of eEye Digital Security discovered this vulnerability.
Brett Moore of Security-Assessment.com separately discovered this vulnerability.
A remote user can create a file or HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.|
Sun has issued the following fixes.|
This issue is addressed in the following releases (for Windows, Solaris, and Linux):
* Java Web Start in JDK and JRE 6 Update 2 or later
* Java Web Start in JDK and JRE 5.0 Update 12 or later
Java SE 6 is available for download at the following links:
Java SE 6 Update 2 for Solaris is available in the following patches:
* Java SE 6: update 2 (as delivered in patch 125136-02 or later)
* Java SE 6: update 2 (as delivered in patch 125137-02 or later (64bit))
* Java SE 6_x86: update 2 (as delivered in patch 125138-02 or later)
* Java SE 6_x86: update 2 (as delivered in patch 125139-02 or later (64bit))
J2SE 5.0 is available for download at the following link:
J2SE 5.0 Update 12 for Solaris is available in the following patches:
* J2SE 5.0: update 12 (as delivered in patch 118666-12 or later)
* J2SE 5.0: update 12 (as delivered in patch 118667-12 or later (64bit))
* J2SE 5.0_x86: update 12 (as delivered in patch 118668-12 or later)
* J2SE 5.0_x86: update 12 (as delivered in patch 118669-12 or later (64bit))
The Sun advisory is available at:
Vendor URL: sunsolve.sun.com/search/document.do?assetkey=1-26-102996-1 (Links to External Site)
|Underlying OS: Linux (Any), UNIX (Solaris - SunOS), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: EEYE: Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability|
Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability
July 5, 2007
Jan 19, 2007
High (Remote Code Execution)
Java Runtime Environment 6 Update 1, and earlier
Java Runtime Environment 5 Update 11, and earlier
[Sun is one of the few companies that is still unable to coordinate the
simultaneous release of security patches, this organizational failure
puts customers at undue risk. Sun first released a patch for this
vulnerability on June 28th for Java Runtime Environment 5, as Update 12.
Now over a week later Sun has finally released the rest of the Java 6
updates for affected systems. People have potentially had over a week to
develop exploits for this vulnerability before Sun finally released a
patch for Java 6, which is the current download of Java. eEye strongly
recommends people install this patch as soon as possible. Hopefully in
the future Sun will be able to bring their security and development
process out of the dark ages. -Marc Maiffret]
eEye Digital Security has discovered a stack buffer overflow in Java
WebStart, a utility installed with Java Runtime Environment for the
purpose of managing the download of Java applications. By opening a
malicious JNLP file, a user's system may be compromised by arbitrary
code within the file, which executes with the privileges of that user.
A web-based attack conducted through Internet Explorer may succeed
without the use of ActiveX or scripting, and without any additional user
interaction other than viewing a web page, if the web server indicates a
Content-Type of "application/x-java-jnlp-file" when serving up the
malicious JNLP file. In such a case, a ".jnlp" file extension is not
javaws.exe is responsible for extracting download instructions from JNLP
files, which are essentially XML. The jnlp element in the JNLP file
contains a codebase attribute. This attribute is later copied (via
sprintf) into a 1K buffer, where is it also prepended with the path to
the user's temp directory. As there is no length validation imposed
prior to sprintf, the stack-based buffer can be overflowed by whatever
is passed into the codebase. The one restriction placed on the input is
that any multi-byte characters are converted into a single '0xFF', so
only characters 0x01 through 0x7F are permissible.
To work around this vulnerability, if you are not actively using Java
WebStart, remove the .jnlp content type association in your registry:
By deleting or mutilating these registry keys, Java WebStart will no
longer be used to open .jnlp files, thereby mitigation this
Retina - Network Security Scanner has been updated to identify this
Blink - Unified Client Security has proactively protected from this
vulnerability since its discovery.
Sun Microsystems has released a patch for this vulnerability.
JRE 5 Update 12 is available at:
JRE 6 Update 2 is available at:
Retina - Network Security Scanner - Free Trial:
Blink - Unified Client Security Personal - Free For Home Use:
Blink - Unified Client Security Professional - Free Trial:
Derek for his heap clutter and counting idea. My homies in TX.
Panzarotti. McSlibin keep on rocking. Talis and Reverse - miss you
Copyright (c) 1998-2007 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information. In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at the
user's own risk.