Executive Summary
Summary | |
---|---|
Title | Java Deployment Toolkit insufficient argument validation |
Informations | |||
---|---|---|---|
Name | VU#886582 | First vendor Publication | 2010-04-12 |
Vendor | VU-CERT | Last vendor Modification | 2010-04-19 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#886582Java Deployment Toolkit insufficient argument validationOverviewThe Sun Java Deployment Toolkit plugin and ActiveX control perform insufficient argument validation, allowing an attacker to perform several attacks, including the execution of an arbitrary JAR file.I. DescriptionThe Sun Java Deployment Toolkit contains an NPAPI (Netscape compatible) plugin and an ActiveX control which are installed in the end user's browser(s). The toolkit contains a launch() method which can be used to pass a Java Networking Launching Protocol (JNLP) URL to the registered handler for JNPL files. On Windows systems, the default handler is the Java Web Start utility, javaws.exe.As detailed here, because the launch() method performs insufficient argument validation of the URL, arbitrary arguments can be passed to javaws.exe. This includes the '-J' option, which can allow an attacker to execute a remote JAR file. The code in the JAR file will execute with elevated Java privileges, which is equivalent to the execution of arbitrary code. This issue is addressed in Java 1.6.0_20. Please see the release notes for more details. This update provides new versions of the Java Deployment Toolkit ActiveX control and plug-in. The update also sets the kill bit for the vulnerable version of the ActiveX control.
The vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: {CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}] "Compatibility Flags"=dword:00000400 Disable ActiveX Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document. Mozilla Firefox
Use Access Control Lists (ACLs) to prevent access to npdeploytk.dll. Please note that based the plugin.scan.SunJRE setting, Firefox will not only scan the Firefox 'plugin' directory for plugins, it will search additional directories based on the user's installation of Java. Ensure that ACLs apply to all instances of npdeploytk.dll within Firefox's search path. Please refer to this mozillazine article for more information. Disable Java Deployment Toolkit Plugin In Mozilla Firefox, select Tools-> Add-ons, click the Plugins icon, then select 'Java Deployment Toolkit', then 'Disable'. Please note that if Java is updated or reinstalled, the plugin may be reenabled. Systems Affected
References
This report is based on research by Tavis Ormandy. This document was written by David Warren.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/886582 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-78 | Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:14090 | |||
Oval ID: | oval:org.mitre.oval:def:14090 | ||
Title: | Argument injection vulnerability in the URI handler in (a) Java NPAPI plugin and (b) Java Deployment Toolkit in Java 6 Update 10, 19, and other versions, when running on Windows and possibly on Linux, allows remote attackers to execute arbitrary code via the (1) -J or (2) -XXaltjvm argument to javaws.exe, which is processed by the launch method. NOTE: some of these details are obtained from third party information. | ||
Description: | Argument injection vulnerability in the URI handler in (a) Java NPAPI plugin and (b) Java Deployment Toolkit in Java 6 Update 10, 19, and other versions, when running on Windows and possibly on Linux, allows remote attackers to execute arbitrary code via the (1) -J or (2) -XXaltjvm argument to javaws.exe, which is processed by the launch method. NOTE: some of these details are obtained from third party information. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2010-1423 | Version: | 9 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 | Product(s): | Java Development Kit Java Runtime Environment |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2010-04-23 | Name : Sun Java Deployment Toolkit Multiple Vulnerabilities (Windows) File : nvt/secpod_sun_java_jdk_mult_vuln_win_apr10.nasl |
2010-04-23 | Name : Sun Java JRE Multiple Vulnerabilities (Linux) File : nvt/secpod_sun_java_jre_mult_vuln_lin_apr10.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
63648 | Sun Java Deployment Toolkit javaw.exe JAR File Handling Arbitrary Code Execu... Sun Java Deployment Toolkit contains a flaw that may allow an attacker to execute arbitrary code. The vulnerability is trigger upon visit of a malicious website embedding a specially crafted JNLP application. |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | Oracle JRE Deployment Toolkit ActiveX clsid access attempt RuleID : 26682 - Revision : 5 - Type : BROWSER-PLUGINS |
2014-01-10 | Oracle JRE Deployment Toolkit ActiveX clsid access attempt RuleID : 23878 - Revision : 13 - Type : BROWSER-PLUGINS |
2014-01-10 | Oracle Java Web Start arbitrary command execution attempt RuleID : 17660 - Revision : 9 - Type : SERVER-OTHER |
2014-01-10 | Oracle Java Web Start arbitrary command execution attempt RuleID : 16585 - Revision : 5 - Type : WEB-CLIENT |
2014-01-10 | Oracle Java Web Start arbitrary command execution attempt - Internet Explorer RuleID : 16584 - Revision : 8 - Type : BROWSER-IE |
2014-01-10 | Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code executio... RuleID : 16550 - Revision : 8 - Type : FILE-OTHER |
2014-01-10 | Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code executio... RuleID : 16549 - Revision : 11 - Type : FILE-OTHER |
2014-01-10 | Java Web Start ActiveX launch command by JavaScript CLSID RuleID : 16548 - Revision : 5 - Type : WEB-ACTIVEX |
2014-01-10 | Java Web Start ActiveX launch command by CLSID RuleID : 16547 - Revision : 5 - Type : WEB-ACTIVEX |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-02-22 | Name : The remote host contains a runtime environment that is affected by multiple v... File : oracle_java6_update20_unix.nasl - Type : ACT_GATHER_INFO |
2010-04-15 | Name : The remote host contains a runtime environment that is affected by multiple v... File : oracle_java6_update20.nasl - Type : ACT_GATHER_INFO |