[Full-disclosure] [TZO-12-2009] SUN / Oracle JVM Remote code execution
Thierry at Zoller.lu
Wed Apr 22 14:34:03 BST 2009
SUN/ORACLE JAVA VM Remote code execution
Release mode: Coordinated.
Ref : TZO-122009- SUN Java remote code execution
WWW : http://blog.zoller.lu/2009/04/sunoracle-java-vm-remote-code-execution.html
Vendor : http://www.sun.com
Disclosure Policy :
- JVM Version 6 Update 1
- JVM Version 6 Update 2
Dictionary.com : "The Java Virtual Machine (JVM) is software that converts
the Java intermediate language (bytecode) into machine language and executes it.
The original JVM came from the JavaSoft division of Sun. Subsequently,
other vendors developed their own; for example, the Microsoft Virtual
Machine is Microsoft's Java interpreter. A JVM is incorporated into
a Web browser in order to execute Java applets. A JVM is also installed in a
Web server to execute server-side Java programs. A JVM can also be installed
in a client machine to run stand-alone Java applications."
Please understand that no details will be given, too many bad guys
would use it for drive-by attacks. At this point in time (old +
fixed) there is really no need to.
Memory corruption due to a write attempt to a user controlable offset.
i.e exploitable. The Java VM is reachable through every major browser.
IV. Disclosure timeline
19/11/2008 : Send proof of concept, description to Microsoft (sic),
as bug was triggered through IE.
20/11/2008 : Microsoft asks for clarification
21/11/2008 : Clarification sent.
12/12/2008 : Microsoft replicated the memory corruption in Version 6
update 1 and recommends getting in contact with SUN
12/12/2008 : Send proof of concept and description to SUN
16/12/2008 : Sun acknwoledges receipt. PGP keys are exchanged.
13/01/2009 : Asked for update from SUN
17/01/2009 : Asked for update and indicate this is the last request
prior to release if no answer is given.
12/03/2009 : SUN asks for more specific details
12/03/2009 : Details given
24/04/2009 : Notify SUN that I am drafting the advisory and would
require feedback and details
24/04/2009 : SUN asks for a copy of the advisory and explains the
engineering team is still working on the case
07/04/2009 : Asks SUN for an update
08/04/2009 : Sun responds that the team is still working on the case
20/04/2009 : Asking for an update and details
20/04/2009 : SUN responds that the engineers could not reproduce in
Update 11 and 12
20/04/2009 : I test the new updates and can no longer reproduce the
22/04/2009 : Release of this advisory
Full-Disclosure is hosted and sponsored by Secunia.