0days for Java Deployment Toolkit

Two researchers, Rubén Santamarta (@reversemode) and Tavis Ormandy have both posted proof of concept code today for exploiting a vulnerability in the Java Web Start functionality included in Sun’s Java since Java 6 Update 10.  The functionality is designed to make it easier for developers to deploy applications to end users.

In both cases the researchers were able to exploit the insufficient validation of parameters which are passed to the javaws command when used to deploy an application via a web page.  The end result is that an attacker would be able to launch a .jar file of their choice, almost silently on the user’s machine.

The exploits appears very simple, and Tavis did contact Oracle regarding the issue, but was told that the vulnerability is not severe enough to justify releasing and out-of-band patch for the issue.

Mitigation for the vulnerability can mean setting ActiveX killbits for Internet Explorer, or using file system permissions to block access to the Java Deployment Toolkit (npdeploytk.dll) from running.  More information on mitigation is available in the links below.

Currently the vulnerability is only exploitable on Windows versions of Java, but Rubén points out:

Although Linux contains vulnerable code, I was unable to exploit it in the same manner. It likely can be exploited by using the proper sequence of command-line arguments, but the sudden release didn’t allow me to research into this issue.I was focused on Windows at the moment of the disclosure.

So that may only be a matter of time.

More information and the POC code can be found here:
Full Disclosure Mailing List – Java Deployment Toolkit Performs Insufficient Validation of Parameters

Reverse Mode – [0DAY] JAVA Web Start Arbitrary command-line injection – “-XXaltjvm” arbitrary dll loading

Leave a Reply