Java vulnerability demonstrates file planting
Researchers at ACROS Security have shown how the current Java Runtime Environment (JRE) can be coerced into running an executable in the current directory. They offer it up as an example of "file planting", a more general version of binary planting seen last year as Windows applications were found to be loading DLLs from unsafe sources.
ACROS shows that when the JRE starts running, it loads a file
.hotspotrc from the current directory. This file is part of a scheme to allow control over memory and other factors when running a particular application. One option allowed in the file is
OnOutOfMemoryError which can name a program to be executed when memory runs out. The researchers set this to run a notional "malicious.exe" program and then created a test applet which exhausted memory and a
Test.html file which would bring up the test applet. All the files were placed in one directory, and upon browsing the
Test.html file, the applet would consume memory, trigger an
OutOfMemoryError and the JRE would then run CreateProcess and launch "malicious.exe".
It is possible to launch this process from a file on a mounted WebDAV share, but it appears to rely on the current working directory being set to the directory where the
.hotspotrc resides; the example given launches Safari on Windows by double clicking the
Test.html file in its directory where Windows Explorer then sets the current working directory, but an already launched browser would have that set to another location.
This would imply that the user would not only have to have mounted an untrustworthy WebDav share, but would also have to navigate to the appropriate directory to launch the HTML file from Windows Explorer. It's not impossible that a skilled social engineer could arrange that, but it does make the attack difficult to launch and, as security researcher Dan Kaminsky points out, if the user is already double clicking files in Windows Explorer, then all that is really needed is for "malicious.exe" to be masquerading as an HTML file for a much quicker and simpler route to compromising the user's system.
The researchers suggest that Oracle should stop loading the
.hotspotrc file from the current working directory, but admit this may break some applications. Failing that, they suggest not loading the file when the JRE is invoked from a web browser. But given the complexity of staging the attack, Oracle may conclude that the engineering required is not justifiable.