JOAL 2.0-rc11 Multiple Remote Code Execution Vulnerabilities

2013.08.22

Credit: FuzzMyApp

Risk: High

Local: No

Remote: Yes

CVE: CVE-2013-4099

CWE: CWE-noinfo

CVSS Base Score: 10/10

Impact Subscore: 10/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

0. Introduction

    Vendor description:
    The JOAL Project hosts a reference implementation of the Java
bindings for OpenAL API,
    and is designed to provide hardware-supported 3D specialized audio
for games written in Java.

1. Affected software
    JOAL 2.0-rc11

2. Vulnerability
    FuzzMyApp team have identified several bugs in OpenAL32.dll, which
can lead to code execution.
    OpenAL32.dll is distributed in signed jar files. It allows to create
malicious applet.
    If user had not used any of JogAmp's libraries before, one needs to
accept installation.
    If user has a Sven Gothel certificate among Java trusted
certificates (i.e. used JogAmp before),
    no interaction is needed.

    Vulnerable methods:
    01. jogamp.openal.ALImpl.dispatch.alAuxiliaryEffectSlotf1(IIFJ)V
    02. jogamp.openal.ALImpl.dispatch.alBuffer3f1(IIFFFJ)V
    03. jogamp.openal.ALImpl.dispatch.alBufferfv1(IILjava/lang/Object;IZJ)V
    04.
jogamp.openal.ALImpl.dispatch.alDeleteEffects1(ILjava/lang/Object;IZJ)V
    05. jogamp.openal.ALImpl.dispatch.alEffectf1(IIFJ)V
    06. jogamp.openal.ALImpl.dispatch.alEffectfv1(IILjava/lang/Object;IZJ)V
    07. jogamp.openal.ALImpl.dispatch.alEffectiv1(IILjava/lang/Object;IZJ)V
    08. jogamp.openal.ALImpl.dispatch.alEnable1(IJ)V
    09. jogamp.openal.ALImpl.dispatch.alFilterfv1(IILjava/lang/Object;IZJ)V
    10. jogamp.openal.ALImpl.dispatch.alFilteriv1(IILjava/lang/Object;IZJ)V
    11. jogamp.openal.ALImpl.dispatch.alGenAuxiliaryEffectSlots1(ILjava/lang/Object;IZJ)V
    12. jogamp.openal.ALImpl.dispatch.alGenEffects1(ILjava/lang/Object;IZJ)V
    13. jogamp.openal.ALImpl.dispatch.alGenFilters1(ILjava/lang/Object;IZJ)V
    14. jogamp.openal.ALImpl.dispatch.alGenSources1(ILjava/lang/Object;IZJ)V
    15. jogamp.openal.ALImpl.dispatch.alGetAuxiliaryEffectSlotiv1(IILjava/lang/Object;IZJ)V
    16. jogamp.openal.ALImpl.dispatch.alGetBuffer3f1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
    17. jogamp.openal.ALImpl.dispatch.alGetBuffer3i1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
    18. jogamp.openal.ALImpl.dispatch.alGetBufferf1(IILjava/lang/Object;IZJ)V
    19. jogamp.openal.ALImpl.dispatch.alGetBufferiv1(IILjava/lang/Object;IZJ)V
    20. jogamp.openal.ALImpl.dispatch.alGetDoublev1(ILjava/lang/Object;IZJ)V
    21. jogamp.openal.ALImpl.dispatch.alGetEffectf1(IILjava/lang/Object;IZJ)V
    22. jogamp.openal.ALImpl.dispatch.alGetEffectfv1(IILjava/lang/Object;IZJ)V
    23. jogamp.openal.ALImpl.dispatch.alGetEffectiv1(IILjava/lang/Object;IZJ)V
    24. jogamp.openal.ALImpl.dispatch.alGetEnumValue1(Ljava/lang/String;J)I
    25.
jogamp.openal.ALImpl.dispatch.alGetFilteri1(IILjava/lang/Object;IZJ)V
    26.
jogamp.openal.ALImpl.dispatch.alGetFilteriv1(IILjava/lang/Object;IZJ)V
    27. jogamp.openal.ALImpl.dispatch.alGetFloat1(IJ)F
    28. jogamp.openal.ALImpl.dispatch.alGetFloatv1(ILjava/lang/Object;IZJ)V
    29.
jogamp.openal.ALImpl.dispatch.alGetListener3f1(ILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
    30.
jogamp.openal.ALImpl.dispatch.alGetListener3i1(ILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
    31.
jogamp.openal.ALImpl.dispatch.alGetListenerf1(ILjava/lang/Object;IZJ)V
    32.
jogamp.openal.ALImpl.dispatch.alGetListeneri1(ILjava/lang/Object;IZJ)V
    33.
jogamp.openal.ALImpl.dispatch.alGetListeneriv1(ILjava/lang/Object;IZJ)V
    34.
jogamp.openal.ALImpl.dispatch.alGetProcAddress1(Ljava/lang/String;J)J
    35.
jogamp.openal.ALImpl.dispatch.alGetProcAddressStatic(Ljava/lang/String;J)J
    36.
jogamp.openal.ALImpl.dispatch.alGetSource3f1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
    37.
jogamp.openal.ALImpl.dispatch.alGetSource3i1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
    38.
jogamp.openal.ALImpl.dispatch.alGetSourcef1(IILjava/lang/Object;IZJ)V
    39.
jogamp.openal.ALImpl.dispatch.alGetSourcefv1(IILjava/lang/Object;IZJ)V
    40.
jogamp.openal.ALImpl.dispatch.alGetSourcei1(IILjava/lang/Object;IZJ)V
    41.
jogamp.openal.ALImpl.dispatch.alGetSourceiv1(IILjava/lang/Object;IZJ)V
    42. jogamp.openal.ALImpl.dispatch.alGetString1(IJ)Ljava/lang/String;
    43. jogamp.openal.ALImpl.dispatch.alIsAuxiliaryEffectSlot1(IJ)Z
    44. jogamp.openal.ALImpl.dispatch.alIsBuffer1(IJ)Z
    45. jogamp.openal.ALImpl.dispatch.alIsEffect1(IJ)Z
    46.
jogamp.openal.ALImpl.dispatch.alIsExtensionPresent1(Ljava/lang/String;J)Z
    47. jogamp.openal.ALImpl.dispatch.alIsFilter1(IJ)Z
    48. jogamp.openal.ALImpl.dispatch.alListener3f1(IFFFJ)V
    49. jogamp.openal.ALImpl.dispatch.alListener3i1(IIIIJ)V
    50. jogamp.openal.ALImpl.dispatch.alListenerf1(IFJ)V
    51. jogamp.openal.ALImpl.dispatch.alListenerfv1(ILjava/lang/Object;IZJ)V
    52. jogamp.openal.ALImpl.dispatch.alListeneri1(IIJ)V
    53. jogamp.openal.ALImpl.dispatch.alListeneriv1(ILjava/lang/Object;IZJ)V
    54. jogamp.openal.ALImpl.dispatch.alSource3f1(IIFFFJ)V
    55. jogamp.openal.ALImpl.dispatch.alSource3i1(IIIIIJ)V
    56. jogamp.openal.ALImpl.dispatch.alSourcef1(IIFJ)V
    57. jogamp.openal.ALImpl.dispatch.alSourcefv1(IILjava/lang/Object;IZJ)V
    58. jogamp.openal.ALImpl.dispatch.alSourcei1(IIIJ)V
    59. jogamp.openal.ALImpl.dispatch.alSourceiv1(IILjava/lang/Object;IZJ)V
    60. jogamp.openal.ALImpl.dispatch.alSourcePause1(IJ)V
    61.
jogamp.openal.ALImpl.dispatch.alSourcePausev1(ILjava/lang/Object;IZJ)V
    62. jogamp.openal.ALImpl.dispatch.alSourcePlay1(IJ)V
    63.
jogamp.openal.ALImpl.dispatch.alSourcePlayv1(ILjava/lang/Object;IZJ)V
    64.
jogamp.openal.ALImpl.dispatch.alSourceQueueBuffers1(IILjava/lang/Object;IZJ)V
    65.
jogamp.openal.ALImpl.dispatch.alSourceRewindv1(ILjava/lang/Object;IZJ)V
    66. jogamp.openal.ALImpl.dispatch.alSourceStop1(IJ)V
    67.
jogamp.openal.ALImpl.dispatch.alSourceStopv1(ILjava/lang/Object;IZJ)V
    68.
jogamp.openal.ALImpl.dispatch.alSourceUnqueueBuffers1(IILjava/lang/Object;IZJ)V
    69. jogamp.openal.ALImpl.dispatch.alSpeedOfSound1(FJ)V

    Malformed methods parameters allow full control of EIP register,
which leads
    to remote code execution.
    Crash dumps are avaliable here:
http://www.fuzzmyapp.com/advisories/FMA-2012-038/FMA-2012-038-EN.xml.    

3. Fix
    JOGAMP released new version (2.0.2-rc12) fixing JOAL issues.
    All previous signed JAR files have been removed.
    Signed JAR files restricted to codebase '*.jogamp.org'.
    Latest JOAL implementation does not depend on buggy OpenAL library.

4. Credit
    FuzzMyApp Team
    http://www.fuzzmyapp.com/
    
5. References
    http://www.fuzzmyapp.com/advisories/FMA-2012-038/FMA-2012-038-EN.xml
    http://forum.jogamp.org/Release-2-0-2-rc12-td4029471.html
    http://labb.zafena.se/?p=799
   
- FuzzMyApp

References:

http://www.fuzzmyapp.com/advisories/FMA-2012-038/FMA-2012-038-EN.xml

http://forum.jogamp.org/Release-2-0-2-rc12-td4029471.html

http://labb.zafena.se/?p=799

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

JOAL 2.0-rc11 Multiple Remote Code Execution Vulnerabilities

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.