Public Vulnerability Reports

Sun Java Web Start (JWS) GIF Decoding Heap Corruption Vulnerability

26.03.09

BACKGROUND

Java Web Start (JWS) is a framework built by Sun that is used to run Java applications outside of the browser. It is distributed with the Java Runtime Environment (JRE) installation. JWS is typically launched by clicking on a link in the browser and results in a separate process being started that is not tied to the JVM inside the browser. In order to accomplish this, the Java Network Launching Protocol (JNLP) is used to communicate with the JWS process. This is done by referencing a .jnlp file from the Web page, which is then requested and forwarded to the JWS application. This XML-based file contains various parameters that describe the Java application to be run.

DESCRIPTION

Remote exploitation of a heap corruption vulnerability in Sun Microsystems Inc.'s Java Web Start could allow an attacker to execute arbitrary code with privileges of the current user.

When JWS starts up, it displays a splash screen. By default, the image displayed on this splash screen is a GIF file provided by Sun, but it is possible for a JNLP file to provide its own splash logo. This allows an attacker to pass an arbitrary GIF file to the splash logo parsing code to trigger the vulnerability.

ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user running JWS. There are several ways to exploit this vulnerability. The most common exploitation vector is through the browser. By persuading a user to follow a link (or by compromising a trusted site), the vulnerability can be exploited by simply viewing a webpage. It would also be possible for an attacker to e-mail a JNLP file to a user or place it on a shared network drive. In this situation, a targeted user would need to manually open the file.

DETECTION

iDefense has confirmed the existence of this vulnerability in Java Web Start version 1.6_11 on Windows and Linux. Previous versions may also be affected.

Sun Microsystems reports that the vulnerability can occur in the following Java SE and Java SE for Business releases for Windows, Solaris, and Linux:

 * JDK and JRE 6 Update 12 and earlier * JDK and JRE 5.0 Update 17 and earlier 

and in the following Java SE for Business release for Windows, Solaris, and Linux:

 * SDK and JRE 1.4.2_19 and earlier 

and in the following Java SE release for Windows and Solaris:

 * SDK and JRE 1.3.1_24 and earlier 

WORKAROUND

On Windows, it is possible to prevent automatic exploitation by double-clicking such a file, or opening it through the browser by removing the file associations for JNLP files. If a user specifically selects the Java Web Start application to open the JNLP file, however, exploitation is still possible. This can be done by removing the registry key for .jnlp in the 'HKEY_CLASSES_ROOT' registry hive.

An additional workaround which will prevent all exploitation attempts is to rename the splashscreen library so that Java Web Start will not be able to load it. This file is found in different locations depending on the platform and installation choices. One such location is:

C:Program FilesJavajre6binsplashscreen.dll

Renaming this file to splashscreen.dll.bak will prevent it from being loaded.

VENDOR RESPONSE

Sun Microsystem Inc. has released a patch which addresses this issue. For more information, consult their advisory at the following URL:

http://sunsolve.sun.com/search/document.do?assetkey=1-66-254571-1

CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.

DISCLOSURE TIMELINE

02/18/2009 - Initial Contact
02/18/2009 - PoC Requested
02/19/2009 - PoC Sent
03/10/2009 - Disclosure Date Set
03/25/2009 - Coordinated Public Disclosure

CREDIT

This vulnerability was reported to iDefense by regenrecht.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

LEGAL NOTICES

Copyright © 2009 Verisign, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.