Re: SEC Consult SA-20130417-1 :: Java ActiveX Control Memory Corruption

2013-04-19 Thread SEC Consult Vulnerability Lab 
Dear list,

it's seems we've had a mix-up at the CVE number, the correct CVE number
for this issue is:

CVE-2013-2416 (S0319764)


SEC Consult Vulnerability Lab

SEC Consult SA-20130417-1 :: Java ActiveX Control Memory Corruption

2013-04-18 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory  20130417-1 
===
  title: Java ActiveX Control Memory Corruption
product: Java(TM) Web Start Launcher
 vulnerable version: Sun Java Version 7 Update 17 and before
 Sun Java Version 6 Update 43 and before
 Sun Java Version 5.0 Update 41 and before
  fixed version: Patch information see sections below
CVE: CVE-2013-2419
 impact: medium
   homepage: http://www.java.com/
  found: 2012-11-13
 by: A. Antukh
 SEC Consult Vulnerability Lab
 https://www.sec-consult.com
===

Vendor description:
---
To date, the Java platform has attracted more than 9 million software
developers. It's used in every major industry segment and has a presence
in a wide range of devices, computers, and networks.

Java technology's versatility, efficiency, platform portability, and
security make it the ideal technology for network computing. From laptops
to datacenters, game consoles to scientific supercomputers, cell phones to
the Internet, Java is everywhere!

Source: http://www.java.com/en/about/


Vulnerability overview/description:
---
Memory corruption vulnerability exists in the launchApp() method of the
deployJava1.dll which is loaded by Internet Explorer and used to launch
javaws.exe with provided arguments. The second (optional) parameter that
is responsible for embedded data is checked improperly, which causes memory
corruption and reading from arbitrary address if specific conditions are met.

Successful exploitation of this vulnerability could potentially result in
an arbitrary code execution within the Java(TM) Web Start Launcher or cause
the application to crash.


Vulnerability details:
-
The launchApp() method expects the following arguments: *pJNLP, *pEmbedded
(optional) and *pVmArgs (optional). Providing a single wrong *pJNLP argument
causes an application to prompt an error message and exit. However, if an
attacker provides the second argument, it will be checked before quitting.

The function responsible for processing an auto-generated temp file containing
input args is the following:

.text:0040560F pusheax  ; size of input data
.text:00405610 pushesi  ; malcrafted string
.text:00405611 calltmp_processing

If the input length doesn't satisfy condition of bitwise AND, the function
returns zero and exits:

.text:0040950B mov edx, [ebp+arg_4]
.text:0040950E testdl, 3; if size satisfies 
condition   
.text:00409511 jz  short loc_409517 ; jump to processing
.text:00409513 xor eax, eax ; otherwise return 0 
and exit
.text:00409515 leave
.text:00409516 retn

The returned data is used later to write from, causing an access violation:

.text:00405611 calltmp_processing
.text:00405616 mov esi, eax
...
(cc0.9fc): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00155a10 ebx= ecx=0008 edx=ffd21610 esi= edi=0001
eip=00402a0d esp=0012e6a8 ebp=0012e734 iopl=0 nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs= efl=00010202
javaws+0x2a0d:
00402a0d 8b86cc00mov eax,dword ptr [esi+0CCh] 
ds:0023:00cc=

However, if the size fits the condition of bitwise AND, the program flow
continues. The memory of input string length size is allocated:

.text:00409547 pusheax ; size_t
.text:00409548 mov [ebp+var_4], ecx
.text:0040954B call_malloc

First WORD of the malformed string is taken and compared to 3Dh (equal sign '=')
to ignore it. If the WORD is not equal to 3Dh, data from the calculated offset 
from
input string is read.

.text:00409571 cmp ecx, 3Dh
.text:00409574 jnz short crash_place
.text:00409576 xor ecx, ecx
.text:00409578 jmp short loc_409582
.text:0040957A ; 
---
.text:0040957A
.text:0040957A crash_place:; CODE XREF: 
tmp_processing+97j
.text:0040957A movzx   ecx, word_445670[ecx*2]

If the resulting offset points to unallocated memory, an access violation
exception is thrown:

eax=001542a0 ebx=001559f8 ecx=aaee edx= esi= edi=001558c8
eip=0040957a