Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability Release Date: July 5, 2007 Date Reported: Jan 19, 2007 Severity: High (Remote Code Execution) Vendor: Sun Microsystems Systems Affected: Java Runtime Environment 6 Update 1, and earlier Java Runtime Environment 5 Update 11, and earlier Overview: [Sun is one of the few companies that is still unable to coordinate the simultaneous release of security patches, this organizational failure puts customers at undue risk. Sun first released a patch for this vulnerability on June 28th for Java Runtime Environment 5, as Update 12. Now over a week later Sun has finally released the rest of the Java 6 updates for affected systems. People have potentially had over a week to develop exploits for this vulnerability before Sun finally released a patch for Java 6, which is the current download of Java. eEye strongly recommends people install this patch as soon as possible. Hopefully in the future Sun will be able to bring their security and development process out of the dark ages. -Marc Maiffret] eEye Digital Security has discovered a stack buffer overflow in Java WebStart, a utility installed with Java Runtime Environment for the purpose of managing the download of Java applications. By opening a malicious JNLP file, a user's system may be compromised by arbitrary code within the file, which executes with the privileges of that user. A web-based attack conducted through Internet Explorer may succeed without the use of ActiveX or scripting, and without any additional user interaction other than viewing a web page, if the web server indicates a Content-Type of "application/x-java-jnlp-file" when serving up the malicious JNLP file. In such a case, a ".jnlp" file extension is not required. Technical Details: javaws.exe is responsible for extracting download instructions from JNLP files, which are essentially XML. The jnlp element in the JNLP file contains a codebase attribute. This attribute is later copied (via sprintf) into a 1K buffer, where is it also prepended with the path to the user's temp directory. As there is no length validation imposed prior to sprintf, the stack-based buffer can be overflowed by whatever is passed into the codebase. The one restriction placed on the input is that any multi-byte characters are converted into a single '0xFF', so only characters 0x01 through 0x7F are permissible. To work around this vulnerability, if you are not actively using Java WebStart, remove the .jnlp content type association in your registry: - HKLM:SoftwareClasses.jnlp - HKLM:SoftwareClassesJNLPfile - HKLM:SoftwareClassesMIMEDatabaseContent Typeapplication/x-java-jnlp-file By deleting or mutilating these registry keys, Java WebStart will no longer be used to open .jnlp files, thereby mitigation this vulnerability. Protection: Retina - Network Security Scanner has been updated to identify this vulnerability. Blink - Unified Client Security has proactively protected from this vulnerability since its discovery. Vendor Status: Sun Microsystems has released a patch for this vulnerability. JRE 5 Update 12 is available at: http://java.sun.com/javase/downloads/index_jdk5.jsp JRE 6 Update 2 is available at: http://java.sun.com/javase/downloads/index.jsp Credit: Daniel Soeder Related Links: Retina - Network Security Scanner - Free Trial: http://www.eeye.com/html/products/retina/download/index.html Blink - Unified Client Security Personal - Free For Home Use: http://www.eeye.com/html/products/blink/personal/download/index.html Blink - Unified Client Security Professional - Free Trial: http://www.eeye.com/html/products/blink/download/index.html Greetings: Derek for his heap clutter and counting idea. My homies in TX. Panzarotti. McSlibin keep on rocking. Talis and Reverse - miss you guys. Copyright (c) 1998-2007 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert (at) eEye (dot) com [email concealed] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.