Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Java Deployment Toolkit insufficient argument validation
Informations
Name VU#886582 First vendor Publication 2010-04-12
Vendor VU-CERT Last vendor Modification 2010-04-19
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#886582

Java Deployment Toolkit insufficient argument validation

Overview

The Sun Java Deployment Toolkit plugin and ActiveX control perform insufficient argument validation, allowing an attacker to perform several attacks, including the execution of an arbitrary JAR file.

I. Description

The Sun Java Deployment Toolkit contains an NPAPI (Netscape compatible) plugin and an ActiveX control which are installed in the end user's browser(s). The toolkit contains a launch() method which can be used to pass a Java Networking Launching Protocol (JNLP) URL to the registered handler for JNPL files. On Windows systems, the default handler is the Java Web Start utility, javaws.exe.

As detailed here, because the launch() method performs insufficient argument validation of the URL, arbitrary arguments can be passed to javaws.exe. This includes the '-J' option, which can allow an attacker to execute a remote JAR file. The code in the JAR file will execute with elevated Java privileges, which is equivalent to the execution of arbitrary code.

II. Impact

By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.

III. Solution

Apply an update

This issue is addressed in Java 1.6.0_20. Please see the release notes for more details. This update provides new versions of the Java Deployment Toolkit ActiveX control and plug-in. The update also sets the kill bit for the vulnerable version of the ActiveX control.

Note: The installer for Java 1.6.0_20 may not correctly update all instances of the Java Deployment Toolkit plugin. In some cases, the plugin that resides in the in ew_plugin directory may not be updated to the fixed 6.0.200.2 version of npdeployJava1.dll. If the new_plugin directory contains npdeploytk.dll version 6.0.190.4 or earlier, then browsers that use plug-ins, such as Mozilla Firefox or Google Chrome, may still be vulnerable. To correct this situation, delete the vulnerable npdeploytk.dll from the new_plugin directory and replace it with the npdeployJava1.dll version from the bin directory.

Please note that the Java Development Toolkit can be installed in multiple browsers, therefore workarounds need to be applied to all browsers with the Java Development Toolkit.

Internet Explorer

    Disable the Java Deployment Toolkit ActiveX control in Internet Explorer
    The vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:

    {CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}
    More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}]
    "Compatibility Flags"=dword:00000400

    Disable ActiveX
    Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.

Mozilla Firefox
    Prevent access to npdeploytk.dll
    Use Access Control Lists (ACLs) to prevent access to npdeploytk.dll. Please note that based the plugin.scan.SunJRE setting, Firefox will not only scan the Firefox 'plugin' directory for plugins, it will search additional directories based on the user's installation of Java. Ensure that ACLs apply to all instances of npdeploytk.dll within Firefox's search path. Please refer to this mozillazine article for more information.

    Disable Java Deployment Toolkit Plugin
    In Mozilla Firefox, select Tools-> Add-ons, click the Plugins icon, then select 'Java Deployment Toolkit', then 'Disable'. Please note that if Java is updated or reinstalled, the plugin may be reenabled.

Systems Affected

VendorStatusDate NotifiedDate Updated
Sun Microsystems, Inc.Vulnerable2010-04-19

References


http://java.sun.com/javase/6/webnotes/6u20.html
http://lists.grok.org.uk/pipermail/full-disclosure/2010-April/074036.html
http://kb.mozillazine.org/Plugin_scanning

Credit

This report is based on research by Tavis Ormandy.

This document was written by David Warren.

Other Information

Date Public:2010-04-09
Date First Published:2010-04-12
Date Last Updated:2010-04-19
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:0.00
Document Revision:39

Original Source

Url : http://www.kb.cert.org/vuls/id/886582

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:14090
 
Oval ID: oval:org.mitre.oval:def:14090
Title: Argument injection vulnerability in the URI handler in (a) Java NPAPI plugin and (b) Java Deployment Toolkit in Java 6 Update 10, 19, and other versions, when running on Windows and possibly on Linux, allows remote attackers to execute arbitrary code via the (1) -J or (2) -XXaltjvm argument to javaws.exe, which is processed by the launch method. NOTE: some of these details are obtained from third party information.
Description: Argument injection vulnerability in the URI handler in (a) Java NPAPI plugin and (b) Java Deployment Toolkit in Java 6 Update 10, 19, and other versions, when running on Windows and possibly on Linux, allows remote attackers to execute arbitrary code via the (1) -J or (2) -XXaltjvm argument to javaws.exe, which is processed by the launch method. NOTE: some of these details are obtained from third party information.
Family: windows Class: vulnerability
Reference(s): CVE-2010-1423
 Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
 Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 132
Application 118

OpenVAS Exploits

Date Description
2010-04-23 Name : Sun Java Deployment Toolkit Multiple Vulnerabilities (Windows)
File : nvt/secpod_sun_java_jdk_mult_vuln_win_apr10.nasl
2010-04-23 Name : Sun Java JRE Multiple Vulnerabilities (Linux)
File : nvt/secpod_sun_java_jre_mult_vuln_lin_apr10.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
63648 Sun Java Deployment Toolkit javaw.exe JAR File Handling Arbitrary Code Execu...

Sun Java Deployment Toolkit contains a flaw that may allow an attacker to execute arbitrary code. The vulnerability is trigger upon visit of a malicious website embedding a specially crafted JNLP application.

Snort® IPS/IDS

Date Description
2014-01-10 Oracle JRE Deployment Toolkit ActiveX clsid access attempt
RuleID : 26682 - Revision : 5 - Type : BROWSER-PLUGINS
2014-01-10 Oracle JRE Deployment Toolkit ActiveX clsid access attempt
RuleID : 23878 - Revision : 13 - Type : BROWSER-PLUGINS
2014-01-10 Oracle Java Web Start arbitrary command execution attempt
RuleID : 17660 - Revision : 9 - Type : SERVER-OTHER
2014-01-10 Oracle Java Web Start arbitrary command execution attempt
RuleID : 16585 - Revision : 5 - Type : WEB-CLIENT
2014-01-10 Oracle Java Web Start arbitrary command execution attempt - Internet Explorer
RuleID : 16584 - Revision : 8 - Type : BROWSER-IE
2014-01-10 Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code executio...
RuleID : 16550 - Revision : 8 - Type : FILE-OTHER
2014-01-10 Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code executio...
RuleID : 16549 - Revision : 11 - Type : FILE-OTHER
2014-01-10 Java Web Start ActiveX launch command by JavaScript CLSID
RuleID : 16548 - Revision : 5 - Type : WEB-ACTIVEX
2014-01-10 Java Web Start ActiveX launch command by CLSID
RuleID : 16547 - Revision : 5 - Type : WEB-ACTIVEX

Nessus® Vulnerability Scanner

Date Description
2013-02-22 Name : The remote host contains a runtime environment that is affected by multiple v...
File : oracle_java6_update20_unix.nasl - Type : ACT_GATHER_INFO
2010-04-15 Name : The remote host contains a runtime environment that is affected by multiple v...
File : oracle_java6_update20.nasl - Type : ACT_GATHER_INFO