New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 86526 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Jun 2011
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 0
Type: Bug-Security

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment

Arbitrary Code Execution on Windows in Java Deployment Toolkit plugin (npdeployJava1.dll)

Reported by n...@nealpoole.com, Jun 17 2011

Issue description

VULNERABILITY DETAILS
I'm writing to report an arbitrary code execution vulnerability in the Java Deployment Toolkit Plugin.

The details are as follows:
- The plugin allows Javascript in the browser to trigger an installation by calling an installLatestJRE() method. It appears that for this exploit to work in Chrome, the targeted user must select "Always run on this site" when prompted about running Java.
- When a call to installLatestJRE() is made, the plugin makes a request to java.sun.com over HTTP to fetch the installer, which is an EXE.
- In Internet Explorer, the plugin appears to validate the signature on the file itself, which limits what files can be executed. It displays an error message when it does not detect a valid signature.
- In Chrome, however, the downloaded EXE appears to be run without any signature validation. If UAC is disabled, unsigned executables and executables signed by other companies are run without prompt. If it's enabled, the user is prompted to run an executable named JREInstallVERSION.exe (ie: JREInstall160_24.exe).
- As a result, a malicious attacker can cause a user to download and execute an arbitrary executable under certain conditions (the attacker must be able to cause the user's browser to execute JavaScript, and the attacker must be able to substitute their own executable for the Java installer: this requires an attacker on the same network with some degree of control over DNS and/or actual web traffic).

Oracle has told me that they aim to release a fixed version of the plugin in the October Critical Patch Update for Java.

VERSION
Chrome Version: 12.0.742.100 stable
Operating System: Windows 7 SP1 32-bit
Java Plugin Name: NPRuntime Script Plug-in Library for Java(TM) Deploy
Java Plugin Version: 6.0.240.7

REPRODUCTION CASE
First, install Java. ;-)

To replicate this easily in a test environment, you can manually set the IP for java.sun.com in your HOSTS file so that it points to a local webserver. You can then configure that webserver so that a request to http://java.sun.com/webapps/download/AutoDL serves up an executable.

I have a demonstration set up at 173.255.227.177 which serves up an installer for Notepad++. You can trigger it by adding the following line to your HOSTS file:
173.255.227.177    java.sun.com
and browsing to the following URL, which triggers a call to installLatestJRE():
http://nealpoole.com/poc/f565016a6543a455d191a863a0d61d30.html
When prompted to run Java, select "Always run on this site"
 
Cc: jeffreyc@chromium.org tmc...@chromium.org
Status: WontFix
Wow, that's a nasty bug.
Any idea why Oracle are waiting until October to fix this? Seems like a lackluster response.

This is a textbook case for why the Chrome infobar for risky plug-ins is a very useful feature.

I'm going to mark this WontFix for lack of a better status, since it sounds like the bug is fully inside the NPAPI Java Deployment Toolkit module?

Thanks for giving us a heads up.

Comment 2 by n...@nealpoole.com, Jun 17 2011

> Any idea why Oracle are waiting until October to fix this? Seems like a lackluster response.
The bug was originally reported to them at the end of February. There were some issues replicating the finding which took until mid-March to resolve. I'm not sure why a fix didn't make it into their June release.

> I'm going to mark this WontFix for lack of a better status, since it sounds like the bug is fully inside the NPAPI Java Deployment Toolkit module?
Correct.

Actually, I only realized today that Chrome on Windows even had the Deployment Toolkit plugin. I first identified the issue in Firefox, where it's potentially more serious since Java executes automatically. I filed a bug with Mozilla when I originally made the report in case they wanted to add the Deployment Toolkit plugin to their blocklist (It wouldn't be the first time either: https://bugzilla.mozilla.org/show_bug.cgi?id=558584). When I realized that Chrome users could have the same vulnerable plugin loaded, I figured I should file a bug here as well. :-)
Project Member

Comment 3 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
Owner: ----
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 4 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security Type-Bug-Security
Project Member

Comment 5 by bugdroid1@chromium.org, Mar 11 2013

Labels: -Area-Undefined
Project Member

Comment 6 by bugdroid1@chromium.org, Mar 13 2013

Labels: Restrict-View-EditIssue

Comment 7 by laforge@google.com, Jul 24 2013

Cc: -jeffreyc@chromium.org

Comment 8 by jsc...@chromium.org, Nov 18 2013

Labels: -Restrict-View-SecurityTeam
Bulk release of old security bug reports.

Project Member

Comment 9 by ClusterFuzz, Feb 6 2014

Labels: -Restrict-View-EditIssue
Bulk update: removing view restriction from closed bugs.
Labels: allpublic

Sign in to add a comment