High Risk Vulnerability in Java Web Start
July 3rd, 2007John Heasman of NGSSoftware has discovered a high risk vulnerability
in Sun Microsystem’s Java Web Start that ships with the JRE and JDK
on Windows platforms.
The vulnerability affects the following version of Java Web Start:
Java Web Start in JDK and JRE 5.0 Update 11 and earlier
Java Web Start in SDK and JRE 1.4.2_13 and earlier
This vulnerability permits an untrusted Java Web Start application to
overwrite any file that can be accessed under the application user context.
This ultimately enables an untrusted application to break out of the
sandbox by modifying the user’s Java security policy. An untrusted
application could be launched via a malicious web page.
Details
*******
The JNLP API defines a set of services that bypass the security sandbox
to enable some common client operations. The BasicService is used to
discover the application’s codebase. Then, the PersistenceService caches
content on the local hard drive, keyed to a URL that is relative to the
application’s base. The name/value pairs provided by the PersistenceService
are similar to browser cookies. The Java Web Start implementation honours
this legacy by naming the pairs “muffins”.
Arbitrary files can be written to due to a directory traversal flaw in the
PersistenceService.
Solution
********
This issue has now been resolved; further details are available at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102957-1
NGSSoftware Insight Security Research
http://www.ngssoftware.com
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070
