Description:
Java Web Start (henceforth, jws) provides java developers with a way to let users launch and install their applications using a URL to a Java Networking Launching Protocol (.jnlp) file (essentially some xml describing the program).
Since Java 6 Update 10, Sun has distributed an NPAPI plugin and ActiveX control called "Java Deployment Toolkit" to provide developers with a simpler method of distributing their applications to end users. This toolkit is installed by default with the JRE and marked safe for scripting.
The launch() method provided by the toolkit object accepts a URL string, which it passes to the registered handler for JNLP files, which by default is the javaws utility.
$ cmd /c ver
Microsoft Windows XP [Version 5.1.2600]
$ java -version
java version "1.6.0_19"
Java(TM) SE Runtime Environment (build 1.6.0_19-b04)
Java HotSpot(TM) Client VM (build 16.2-b04, mixed mode, sharing)
$ cat /proc/registry/HKEY_LOCAL_MACHINE/SOFTWARE/Classes/JNLPFile/Shell/Open/Command/\@"C:\Program Files\Java\jre6\bin\javaws.exe" "%1"
The toolkit provides only minimal validation of the URL parameter, allowing us to pass arbitrary parameters to the javaws utility, which provides enough functionality via command line arguments to allow this error to be exploited.
The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor.
Here is the full announcement. Please find a demo of the above vulnerability using Metasploit below. Thanks go out to Nofun (nofunofunofun [] gmail) for referring this video to us.
Tags: fun ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Comments: