Java Runtime Environment JAR manifest Main Class buffer overflow

2009-02-26T00:00:00
ID SAINT:B4CAF588AC82ECC016E97DC29FA6C472
Type saint
Reporter SAINT Corporation
Modified 2009-02-26T00:00:00

Description

Added: 02/26/2009
CVE: CVE-2008-5354
BID: 32608
OSVDB: 50499

Background

Java Runtime Environment (JRE) allows end users to run Java applications.

Problem

A buffer overflow vulnerability in JRE allows command execution when a user opens a JAR archive containing a manifest file with a specially crafted Main Class entry.

Resolution

Apply the patch referenced in Sun document 244990.

References

<http://www.us-cert.gov/cas/techalerts/TA08-340A.html>

Limitations

Exploit works on Java Runtime Environment 1.6 Update 10 and requires a user to open the exploit file.

Execution of this exploit requires the Digest::CRC PERL module. On Linux systems this is typically found in a package named such as libdigest-crc-perl or perl-Digest-CRC.

Platforms

Windows 2000
Windows XP