Monday, April 20, 2009

Client side code execution via JNLP files

As you may know, I'm a kind of Java enthusiast. This is especially true when a Java technology overlaps with web security.
I was actually testing a software based on Java Web Start when I've realized how practical (and dangerous) may be this technology. The overall idea of Java Web Start is to deploy and execute Java standalone client, directly from the Internet using a web browser. Unlike Java Applets, Web Start applications do not have all the limitations enforced by the sandbox.

Specifically I was testing Eye of the Storm, a network management software composed by several server side components as well as a nice Web Start application. A CGI program /EOS/cgi/EYELauncher generates personalized JNLP files so that Java Web Start can invoke a standalone Java application with the proper parameters and configuration.
Besides other usual issues, I've discovered a way to trigger client side code execution via a tampered JNLP file. Thinking about a real-world attack scenario, an aggressor could convince a user to follow a malicious link which abuse the online CGI in order to generate malicious JNLP files. Since the CGI does not properly filter the input, it is possible to pollute the JNLP file content.

A simple GET request, as the following
http:///EOS/cgi/EYELauncher?%2d%2d%75%73%65%72%3d%61%61%61%3b%2d%2d%68%6f%73%74%3d%61%61%61%3b%2d%2d%68%74%74%70 %50%72%6f%74%6f%63%6f%6c%3d%66%69%6c%65%3a%2f%2f%2f%43%3a%5c%5c%57%49%4e%4e%54%5c%5c%73%79%73%74%65%6d%33%32%5c%5c%63 %6d%64%2e%65%78%65%3f
will cause the inclusion of user-supplied parameters in com.entuity.eos.client.startup.EYELauncher.main(String args[]).

In particular circumstances, the application may invoke the executeEYEClient(String, String, String, String, String) method, which can be used to exploit a vulnerable com.entuity.util.BrowserLauncher.openURL(String) method executing the well-known Runtime.getRuntime().exec()call.
The execution of the vulnerable method is triggered by an exception while the Main method runs. EYELauncher handles this specific exception by requesting a new JNLP file from the server, using the insecure "openURL" call.

To locally test the vulnerability, just use the following code:
import com.entuity.eos.client.startup.EYELauncher;

public class EOTS_poc1 {
public static void main(String[] args) {
String arguments[]={"--user=aaa","--host=aaa","--httpProtocol=file:///C:\\WINNT\\system32\\cmd.exe?"};
EYELauncher.main(arguments);
}}
Unfortunately, I was not able to find a reliable way to trigger the exception, thus the exploitability of this finding is likely low. However, at least in my humble opinion, it is a nice demonstration of one-click code execution.

In addition to the usual stuff (XSS, ActiveX exploits and so on), let's not forget about Java Web Start as well.

1 comment: