Java Deployment Toolkit insufficient argument validation

Overview

The Sun Java Deployment Toolkit plugin and ActiveX control perform insufficient argument validation, allowing an attacker to perform several attacks, including the execution of an arbitrary JAR file.

Description

The Sun Java Deployment Toolkit contains an NPAPI (Netscape compatible) plugin and an ActiveX control which are installed in the end user’s browser(s). The toolkit contains a launch() method which can be used to pass a Java Networking Launching Protocol (JNLP) URL to the registered handler for JNPL files. On Windows systems, the default handler is the Java Web Start utility, javaws.exe.

As detailed here, because the launch() method performs insufficient argument validation of the URL, arbitrary arguments can be passed to javaws.exe. This includes the ‘-J’ option, which can allow an attacker to execute a remote JAR file. The code in the JAR file will execute with elevated Java privileges, which is equivalent to the execution of arbitrary code.

---

Impact

By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.

---

Solution

Apply an update
This issue is addressed in Java 1.6.0_20. Please see the release notes for more details. This update provides new versions of the Java Deployment Toolkit ActiveX control and plug-in. The update also sets the kill bit for the vulnerable version of the ActiveX control.

**Note:**The installer for Java 1.6.0_20 may not correctly update all instances of the Java Deployment Toolkit plugin. In some cases, the plugin that resides in the \bin\ew_plugin directory may not be updated to the fixed 6.0.200.2 version of npdeployJava1.dll. If the new_plugin directory contains npdeploytk.dll version 6.0.190.4 or earlier, then browsers that use plug-ins, such as Mozilla Firefox or Google Chrome, may still be vulnerable. To correct this situation, delete the vulnerable npdeploytk.dll from the new_plugin directory and replace it with the npdeployJava1.dll version from the bin directory.

---

Please note that the Java Development Toolkit can be installed in multiple browsers, therefore workarounds need to be applied to all browsers with the Java Development Toolkit.

Internet Explorer Disable the Java Deployment Toolkit ActiveX control in Internet Explorer
The vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:

{``CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA``}
More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{``CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA``}]
"Compatibility Flags"=dword:00000400

Disable ActiveX
Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Instructions for disabling ActiveX in the Internet Zone can be found in the “Securing Your Web Browser” document.

Mozilla Firefox

Prevent access to npdeploytk.dll
Use Access Control Lists (ACLs) to prevent access to npdeploytk.dll. Please note that based the plugin.scan.SunJRE setting, Firefox will not only scan the Firefox ‘plugin’ directory for plugins, it will search additional directories based on the user’s installation of Java. Ensure that ACLs apply to all instances of npdeploytk.dll within Firefox’s search path. Please refer to this mozillazine article for more information.

Disable Java Deployment Toolkit Plugin
In Mozilla Firefox, select Tools-> Add-ons, click the Plugins icon, then select ‘Java Deployment Toolkit’, then ‘Disable’. Please note that if Java is updated or reinstalled, the plugin may be reenabled.

---

Vendor Information

886582

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Sun Microsystems, Inc. __ Affected

Updated: April 19, 2010

Statement Date: April 15, 2010

Status

Affected

Vendor Statement

Oracle has released the following Security Alert: <http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html> which provides more details about the fixes for these issues.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This issue is addressed in Java 1.6.0_20. Please see the release notes for more details. This update provides new versions of the Java Deployment Toolkit ActiveX control and plug-in. The update also sets the kill bit for the vulnerable version of the ActiveX control.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23886582 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://java.sun.com/javase/6/webnotes/6u20.html&gt;
• <http://lists.grok.org.uk/pipermail/full-disclosure/2010-April/074036.html&gt;
• <http://kb.mozillazine.org/Plugin_scanning&gt;

Acknowledgements

This report is based on research by Tavis Ormandy.

This document was written by David Warren.

Other Information

CVE IDs:	None
Date Public:	2010-04-09 Date First Published: