-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sun Java: Buffer Overflow in "Main-Class" manifest entry ======================================================== Advisory: SM_Java-BO_200811 Revision: 1.0 Release Date: 2008-12-04 Last Modified: 2008-12-04 Author: Stefan Middendorf (sm alpha-tango ximido.de) Affected Software: JDK and JRE 6 Update 10 and earlier JDK and JRE 5.0 Update 16 and earlier SDK and JRE 1.4.2_18 and earlier In each case Windows, Linux and Solaris are affected. Vendor Status: Vendor has released a patch Vulnerability details ===================== A buffer overflow exists in the part of the Java interpreter which handles the manifest of JAR files. When parsing the manifest, the length of the "Main-Class" manifest entry is not properly checked. This entry is used for specifiying the name of class whose main() method is executed when the executable JAR file is run. Executable JAR files can be started with the -jar command line option: > java -jar Demo.jar It is possible to execute malicious code by assigning an overlong value to the "Main-Class" entry which contains instruction opcodes. On Windows, there is also a browser-based attack scenario. If an attacker puts a malicious JAR file on a web server and makes a victim using Internet Explorer to click on a link to this archive, the browser asks the user wether to save or open the file. If the user clicks "Open", the JAR file gets automatically executed by javaw.exe. This auto execution is based on a file extension handler which is created by the JRE/SDK installer. It registers javaw.exe as handler application for .jar files. So this attack vector does not require the user to run the archive manually from the command line. Note: This browser-based attack vector does not target at the Java-Plug-In which runs in the browser's context. Rather, the javaw.exe process which is started as a subprocess of Internet Explorer is attacked. Technial description ==================== The vulnerability is about a stack based buffer overflow and is triggered by putting an overlong value into the "Main-Class" entry of a JAR file's manifest and then have java or javaw execute this JAR file with the -jar option. The problem is based on an strcat command which copies the contents of the "Main-Class" manifest entry into a local variable. The following lines are taken from jdk/src/share/bin/java.c in OpenJDK 6 (available from http://www.openjdk.org/): if (info.main_class != NULL) >> (void)strcat(env_entry, info.main_class); info.main_class is filled with the "Main-Class" entry of the manifest. Upon parsing the manifest, the contents and the length of info.main_class are not checked. The buffer overflow occurs because env_entry is defined as: char env_entry[MAXNAMELEN + 24] = ENV_ENTRY "="; MAXNAMELEN in turn is defined in platform dependent files: #define MAXNAMELEN PATH_MAX jdk/src/solaris/bin/java_md.h #define MAXNAMELEN MAX_PATH jdk/src/windows/bin/java_md.h Window's MAXPATH is 260, Solaris' PATH_MAX is 1024 and Linux' PATH_MAX is 4096 characters. So by preparing a JAR file which contains a manifest with an overlong "Main-Class" entry (i.e. which exceeds the aforementioned limits) the variable env_entry gets overflowed. Solution ======== The issue is fixed by vendor patches for JRE/JDK/SDK 1.4, 5 and 6. See the "Resolution" section of the vendor's advisory ([1]). History ======= 2008-08-04 Initial notification of Sun 2008-09-08 Sun confirmed vulnerability 2008-11-25 Sun informed about details on public disclosure 2008-12-03 Sun releases patches and advisory 2008-12-04 Release of author's advisory Duration between initial notification and patch release: 122 days Changelog ========= Rev. 1.0 2008-12-04 Initial public release References ========== [1] Sun's Advisory http://sunsolve.sun.com/search/document.do?assetkey=1-66-244990-1 Disclaimer ========== The information provided in this advisory is provided AS IS, without a warranty of any kind, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or distribution of this information. Any use of this information is at the user's own risk. This advisory may change without notice. PGP Signature Key ================= http://www.ximido.de/about/sm.asc Copyright (c) 2008 Stefan Middendorf. All rights reserved. -----BEGIN PGP SIGNATURE----- Charset: utf-8 wsBVAwUBSTg6clDSSixhMoK7AQjoXwf/Uu5nXsdFNGF9iMP5+IHHIZBtjM9L5h4s PHidlJTAGgomd6rzXpsuvuU3sKifHkZGbs4nrFvHqb7BBk0haZjeUhbbR8hHKy4t Bo7I55L8aHDJHpBaDf5JUq7ff8JzkDUGr2/v5kp+tGeBY9FMkBgizt2l29wjWUG8 v3mibTG/iT6w0Z0NCdCLgfX2nH1OKzeFpr+wF5xkHncGanqIZzTHQykaEiOXUWBs 0xepv2JaqpdO96yh+tAFzTsViR8ZNxu4WgFO4O8YQWPtjD1rKTXDMSc7z/tlM5kq K+E+lz9vWc+ErS3Fxau0Xu+Q+CY28eTrUkNoikH2OrTVbLHAE/cXGw== =SeE9 -----END PGP SIGNATURE-----