[NT] Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 10 Jul 2007 11:06:36 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability
eEye Digital Security has discovered a stack buffer overflow in Java
WebStart, a utility installed with Java Runtime Environment for the
purpose of managing the download of Java applications. By opening a
malicious JNLP file, a user's system may be compromised by arbitrary code
within the file, which executes with the privileges of that user.
A web-based attack conducted through Internet Explorer may succeed without
the use of ActiveX or scripting, and without any additional user
interaction other than viewing a web page, if the web server indicates a
Content-Type of "application/x-java-jnlp-file" when serving up the
malicious JNLP file. In such a case, a ".jnlp" file extension is not
* Java Runtime Environment 6 Update 1, and earlier
* Java Runtime Environment 5 Update 11, and earlier
* Java Runtime Environment 6 Update 2
* Java Runtime Environment 5 Update 12
javaws.exe is responsible for extracting download instructions from JNLP
files, which are essentially XML. The jnlp element in the JNLP file
contains a codebase attribute. This attribute is later copied (via
sprintf) into a 1K buffer, where is it also prepended with the path to the
user's temp directory. As there is no length validation imposed prior to
sprintf, the stack-based buffer can be overflowed by whatever is passed
into the codebase. The one restriction placed on the input is that any
multi-byte characters are converted into a single '0xFF', so only
characters 0x01 through 0x7F are permissible.
To work around this vulnerability, if you are not actively using Java
WebStart, remove the .jnlp content type association in your registry:
By deleting or mutilating these registry keys, Java WebStart will no
longer be used to open .jnlp files, thereby mitigation this
Sun Microsystems has released a patch for this vulnerability.
JRE 5 Update 12 is available at:
JRE 6 Update 2 is available at:
The information has been provided by <mailto:Advisories@xxxxxxxx> eEye
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] WinPcap NPF.SYS Local Privilege Escalation Vulnerability
- Next by Date: [NT] Internet Explorer Cross Browser Vulnerabilty (FirefoxURL)
- Previous by thread: [NT] WinPcap NPF.SYS Local Privilege Escalation Vulnerability
- Next by thread: [NT] Internet Explorer Cross Browser Vulnerabilty (FirefoxURL)