Public Vulnerability Reports

Sun Java Web Start (JWS ) PNG Decoding Integer Overflow Vulnerability

03.26.09

BACKGROUND

Java Web Start (JWS) is a framework built by Sun that is used to run Java applications outside of the browser. It is distributed with the Java Runtime Environment (JRE) installation. JWS is typically launched by clicking on a link in the browser and results in a separate process being started that is not tied to the JVM inside the browser. In order to accomplish this, the Java Network Launching Protocol (JNLP) is used to communicate with the JWS process. This is done by referencing a .jnlp file from the Web page, which is then requested and forwarded to the JWS application. This XML-based file contains various parameters that describe the Java application to be run. For more information, see the vendor's site found at the following link.

http://www.java.com

DESCRIPTION

Remote exploitation of an integer overflow vulnerability in Sun Microsystems Inc.'s Java Web Start could allow an attacker to execute arbitrary code with privileges of the current user.

When JWS starts up, it displays a splash screen. By default, the image displayed on this splash screen is a GIF file provided by Sun, but it is possible for a JNLP file to provide its own splash logo. This allows an attacker to pass an arbitrary PNG file to the splash logo parsing code.

The vulnerability occurs when parsing a PNG file used as part of the splash screen. When parsing the image, several values are taken from the file and used in an arithmetic operation that calculates the size of a heap buffer. This calculation can overflow, which results in an undersized buffer being allocated. This buffer is later overflowed with data from the file.

ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user running JWS. There are several ways to exploit this vulnerability. The most common exploitation vector is through the browser. By persuading a user to follow a link (or by compromising a trusted site), the vulnerability can be exploited by simply viewing a webpage. It would also be possible for an attacker to e-mail a JNLP file to a user or place it on a shared network drive. In this situation, a targeted user would need to manually open the file.

DETECTION

iDefense has confirmed the existence of this vulnerability in Java Web Start version 1.6_11 on Windows and Linux. Previous versions may also be affected.

Sun Microsystems reports that the vulnerability can occur in the following Java SE and Java SE for Business releases for Windows, Solaris, and Linux:

 * JDK and JRE 6 Update 12 and earlier 

Note: JDK and JRE 5.0, SDK and JRE 1.4.2 and 1.3.1 are not affected.

WORKAROUND

On Windows, it is possible to prevent automatic exploitation by double-clicking such a file, or opening it through the browser by removing the file associations for JNLP files. If a user specifically selects the Java Web Start application to open the JNLP file, however, exploitation is still possible. This can be done by removing the registry key for .jnlp in the 'HKEY_CLASSES_ROOT' registry hive.

An additional workaround which will prevent all exploitation attempts is to rename the splashscreen library so that Java Web Start will not be able to load it. This file is found in different locations depending on the platform and installation choices. One such location is:

C:Program FilesJavajre6binsplashscreen.dll

Renaming this file to splashscreen.dll.bak will prevent it from being loaded.

VENDOR RESPONSE

Sun Microsystem Inc. has released a patch which addresses this issue. For more information, consult their advisory at the following URL:

http://sunsolve.sun.com/search/document.do?assetkey=1-66-254571-1

CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.

DISCLOSURE TIMELINE

02/18/2009 - Initial Contact
02/18/2009 - PoC Requested
02/19/2009 - PoC Sent
03/10/2009 - Disclosure Date Set
03/25/2009 - Coordinated Public Disclosure

CREDIT

This vulnerability was discovered by regenrecht.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

LEGAL NOTICES

Copyright © 2009 Verisign, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.