Sun Java Web Start (JWS) GIF Decoding Heap Corruption Vulnerability
12 Jul. 2009
Summary
Remote exploitation of a heap corruption vulnerability in Sun Microsystems Inc.'s Java Web Start could allow an attacker to execute arbitrary code with privileges of the current user.
Vulnerable Systems:
* Sun Java Web Start version 1.6_11 on Windows and Linux
When JWS starts up, it displays a splash screen. By default, the image displayed on this splash screen is a GIF file provided by Sun, but it is possible for a JNLP file to provide its own splash logo. This allows an attacker to pass an arbitrary GIF file to the splash logo parsing code to trigger the vulnerability.
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user running JWS. There are several ways to exploit this vulnerability. The most common exploitation vector is through the browser. By persuading a user to follow a link (or by compromising a trusted site), the vulnerability can be exploited by simply viewing a webpage. It would also be possible for an attacker to e-mail a JNLP file to a user or place it on a shared network drive. In this situation, a targeted user would need to manually open the file.
Workaround
On Windows, it is possible to prevent automatic exploitation by double-clicking such a file, or opening it through the browser by removing the file associations for JNLP files. If a user specifically selects the Java Web Start application to open the JNLP file, however, exploitation is still possible. This can be done by removing the registry key for .jnlp in the 'HKEY_CLASSES_ROOT' registry hive.
An additional workaround which will prevent all exploitation attempts is to rename the splashscreen library so that Java Web Start will not be able to load it. This file is found in different locations depending on the platform and installation choices. One such location is:
C:\Program Files\Java\jre6\bin\splashscreen.dll
Renaming this file to splashscreen.dll.bak will prevent it from being loaded.
Disclosure Timeline:
02/18/2009 - Initial Contact
02/18/2009 - PoC Requested
02/19/2009 - PoC Sent
03/10/2009 - Disclosure Date Set
03/25/2009 - Coordinated Public Disclosure
