Java Web Start Command-Line Injection (Apr 14, 2010)

By

A command-line injection vulnerability exists in the Oracle’s (Sun’s) Java Web Start (aka JavaWS or javaws). JavaWS is a component of the Java 2 Runtime Environment (JRE). It facilitates deployment of applications (written with Java programming language) over network.

Web Start applications do not run inside the browser. Instead they run in the sandbox, which often has fewer restrictions. Information about a Web Start application is stored in a Java Network Launching Protocol (JNLP) file. When installing JRE, by default, JNLP files will be associated with JavaWS. Since Java 6 Update 10, Oracle has distributed NPAPI plug-ins and ActiveX controls Java Plugin and Java Deployment Toolkit to provide developers with a method of distributing their Java applications to end users.

The command-line injection vulnerability is due to insufficient input validation of JNLP network paths. When Java Plugin or Java Deployment Toolkit is used to launch a Web Start application, each assures that the provided URL path points to a valid network resource (a URL starts with “http:” or “https:” is sufficient) and opens the JavaWS command-line utility. If the string -J is specified within a URL, the NPAPI/ActiveX will incorrectly pass it as command-line parameter to the JavaWS utility. In other words, the URL with -J provides the ability to bypass restrictions and execute arbitrary Java code outside the confines of the Java security sandbox. By enticing the target user to open a crafted HTML page, an attacker could exploit the vulnerability. Successful exploitation will result in execution of arbitrary code within the security context of the logged-in user.

SonicWALL has released several IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

  • 5026 Sun Java jnlp Command Injection Attempt 1
  • 5027 Sun Java jnlp Command Injection Attempt 2
  • 5031 Sun Java jnlp Command Injection Attempt 3
  • 5036 Sun Java jnlp Command Injection Attempt 4
  • 5086 Sun Java jnlp Command Injection Attempt 5
  • 5091 Sun Java jnlp Command Injection Attempt 6
  • 5093 Sun Java jnlp Command Injection Attempt 7
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.