JOAL 2.0-rc11 Multiple Remote Code Execution Vulnerabilities

2013.08.22
Credit: FuzzMyApp
Risk: High
Local: No
Remote: Yes
CVE: CVE-2013-4099
CWE: CWE-noinfo


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

0. Introduction Vendor description: The JOAL Project hosts a reference implementation of the Java bindings for OpenAL API, and is designed to provide hardware-supported 3D specialized audio for games written in Java. 1. Affected software JOAL 2.0-rc11 2. Vulnerability FuzzMyApp team have identified several bugs in OpenAL32.dll, which can lead to code execution. OpenAL32.dll is distributed in signed jar files. It allows to create malicious applet. If user had not used any of JogAmp's libraries before, one needs to accept installation. If user has a Sven Gothel certificate among Java trusted certificates (i.e. used JogAmp before), no interaction is needed. Vulnerable methods: 01. jogamp.openal.ALImpl.dispatch.alAuxiliaryEffectSlotf1(IIFJ)V 02. jogamp.openal.ALImpl.dispatch.alBuffer3f1(IIFFFJ)V 03. jogamp.openal.ALImpl.dispatch.alBufferfv1(IILjava/lang/Object;IZJ)V 04. jogamp.openal.ALImpl.dispatch.alDeleteEffects1(ILjava/lang/Object;IZJ)V 05. jogamp.openal.ALImpl.dispatch.alEffectf1(IIFJ)V 06. jogamp.openal.ALImpl.dispatch.alEffectfv1(IILjava/lang/Object;IZJ)V 07. jogamp.openal.ALImpl.dispatch.alEffectiv1(IILjava/lang/Object;IZJ)V 08. jogamp.openal.ALImpl.dispatch.alEnable1(IJ)V 09. jogamp.openal.ALImpl.dispatch.alFilterfv1(IILjava/lang/Object;IZJ)V 10. jogamp.openal.ALImpl.dispatch.alFilteriv1(IILjava/lang/Object;IZJ)V 11. jogamp.openal.ALImpl.dispatch.alGenAuxiliaryEffectSlots1(ILjava/lang/Object;IZJ)V 12. jogamp.openal.ALImpl.dispatch.alGenEffects1(ILjava/lang/Object;IZJ)V 13. jogamp.openal.ALImpl.dispatch.alGenFilters1(ILjava/lang/Object;IZJ)V 14. jogamp.openal.ALImpl.dispatch.alGenSources1(ILjava/lang/Object;IZJ)V 15. jogamp.openal.ALImpl.dispatch.alGetAuxiliaryEffectSlotiv1(IILjava/lang/Object;IZJ)V 16. jogamp.openal.ALImpl.dispatch.alGetBuffer3f1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V 17. jogamp.openal.ALImpl.dispatch.alGetBuffer3i1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V 18. jogamp.openal.ALImpl.dispatch.alGetBufferf1(IILjava/lang/Object;IZJ)V 19. jogamp.openal.ALImpl.dispatch.alGetBufferiv1(IILjava/lang/Object;IZJ)V 20. jogamp.openal.ALImpl.dispatch.alGetDoublev1(ILjava/lang/Object;IZJ)V 21. jogamp.openal.ALImpl.dispatch.alGetEffectf1(IILjava/lang/Object;IZJ)V 22. jogamp.openal.ALImpl.dispatch.alGetEffectfv1(IILjava/lang/Object;IZJ)V 23. jogamp.openal.ALImpl.dispatch.alGetEffectiv1(IILjava/lang/Object;IZJ)V 24. jogamp.openal.ALImpl.dispatch.alGetEnumValue1(Ljava/lang/String;J)I 25. jogamp.openal.ALImpl.dispatch.alGetFilteri1(IILjava/lang/Object;IZJ)V 26. jogamp.openal.ALImpl.dispatch.alGetFilteriv1(IILjava/lang/Object;IZJ)V 27. jogamp.openal.ALImpl.dispatch.alGetFloat1(IJ)F 28. jogamp.openal.ALImpl.dispatch.alGetFloatv1(ILjava/lang/Object;IZJ)V 29. jogamp.openal.ALImpl.dispatch.alGetListener3f1(ILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V 30. jogamp.openal.ALImpl.dispatch.alGetListener3i1(ILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V 31. jogamp.openal.ALImpl.dispatch.alGetListenerf1(ILjava/lang/Object;IZJ)V 32. jogamp.openal.ALImpl.dispatch.alGetListeneri1(ILjava/lang/Object;IZJ)V 33. jogamp.openal.ALImpl.dispatch.alGetListeneriv1(ILjava/lang/Object;IZJ)V 34. jogamp.openal.ALImpl.dispatch.alGetProcAddress1(Ljava/lang/String;J)J 35. jogamp.openal.ALImpl.dispatch.alGetProcAddressStatic(Ljava/lang/String;J)J 36. jogamp.openal.ALImpl.dispatch.alGetSource3f1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V 37. jogamp.openal.ALImpl.dispatch.alGetSource3i1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V 38. jogamp.openal.ALImpl.dispatch.alGetSourcef1(IILjava/lang/Object;IZJ)V 39. jogamp.openal.ALImpl.dispatch.alGetSourcefv1(IILjava/lang/Object;IZJ)V 40. jogamp.openal.ALImpl.dispatch.alGetSourcei1(IILjava/lang/Object;IZJ)V 41. jogamp.openal.ALImpl.dispatch.alGetSourceiv1(IILjava/lang/Object;IZJ)V 42. jogamp.openal.ALImpl.dispatch.alGetString1(IJ)Ljava/lang/String; 43. jogamp.openal.ALImpl.dispatch.alIsAuxiliaryEffectSlot1(IJ)Z 44. jogamp.openal.ALImpl.dispatch.alIsBuffer1(IJ)Z 45. jogamp.openal.ALImpl.dispatch.alIsEffect1(IJ)Z 46. jogamp.openal.ALImpl.dispatch.alIsExtensionPresent1(Ljava/lang/String;J)Z 47. jogamp.openal.ALImpl.dispatch.alIsFilter1(IJ)Z 48. jogamp.openal.ALImpl.dispatch.alListener3f1(IFFFJ)V 49. jogamp.openal.ALImpl.dispatch.alListener3i1(IIIIJ)V 50. jogamp.openal.ALImpl.dispatch.alListenerf1(IFJ)V 51. jogamp.openal.ALImpl.dispatch.alListenerfv1(ILjava/lang/Object;IZJ)V 52. jogamp.openal.ALImpl.dispatch.alListeneri1(IIJ)V 53. jogamp.openal.ALImpl.dispatch.alListeneriv1(ILjava/lang/Object;IZJ)V 54. jogamp.openal.ALImpl.dispatch.alSource3f1(IIFFFJ)V 55. jogamp.openal.ALImpl.dispatch.alSource3i1(IIIIIJ)V 56. jogamp.openal.ALImpl.dispatch.alSourcef1(IIFJ)V 57. jogamp.openal.ALImpl.dispatch.alSourcefv1(IILjava/lang/Object;IZJ)V 58. jogamp.openal.ALImpl.dispatch.alSourcei1(IIIJ)V 59. jogamp.openal.ALImpl.dispatch.alSourceiv1(IILjava/lang/Object;IZJ)V 60. jogamp.openal.ALImpl.dispatch.alSourcePause1(IJ)V 61. jogamp.openal.ALImpl.dispatch.alSourcePausev1(ILjava/lang/Object;IZJ)V 62. jogamp.openal.ALImpl.dispatch.alSourcePlay1(IJ)V 63. jogamp.openal.ALImpl.dispatch.alSourcePlayv1(ILjava/lang/Object;IZJ)V 64. jogamp.openal.ALImpl.dispatch.alSourceQueueBuffers1(IILjava/lang/Object;IZJ)V 65. jogamp.openal.ALImpl.dispatch.alSourceRewindv1(ILjava/lang/Object;IZJ)V 66. jogamp.openal.ALImpl.dispatch.alSourceStop1(IJ)V 67. jogamp.openal.ALImpl.dispatch.alSourceStopv1(ILjava/lang/Object;IZJ)V 68. jogamp.openal.ALImpl.dispatch.alSourceUnqueueBuffers1(IILjava/lang/Object;IZJ)V 69. jogamp.openal.ALImpl.dispatch.alSpeedOfSound1(FJ)V Malformed methods parameters allow full control of EIP register, which leads to remote code execution. Crash dumps are avaliable here: http://www.fuzzmyapp.com/advisories/FMA-2012-038/FMA-2012-038-EN.xml. 3. Fix JOGAMP released new version (2.0.2-rc12) fixing JOAL issues. All previous signed JAR files have been removed. Signed JAR files restricted to codebase '*.jogamp.org'. Latest JOAL implementation does not depend on buggy OpenAL library. 4. Credit FuzzMyApp Team http://www.fuzzmyapp.com/ 5. References http://www.fuzzmyapp.com/advisories/FMA-2012-038/FMA-2012-038-EN.xml http://forum.jogamp.org/Release-2-0-2-rc12-td4029471.html http://labb.zafena.se/?p=799 - FuzzMyApp

References:

http://www.fuzzmyapp.com/advisories/FMA-2012-038/FMA-2012-038-EN.xml
http://forum.jogamp.org/Release-2-0-2-rc12-td4029471.html
http://labb.zafena.se/?p=799


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top