[TZO-12-2009] SUN / Oracle JVM Remote code execution

To: NTBUGTRAQ <NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx>, bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>, <info@xxxxxxxxxxxxx>, <vuln@xxxxxxxxxxx>, <cert@xxxxxxxx>, <nvd@xxxxxxxx>, <cve@xxxxxxxxx>
Subject: [TZO-12-2009] SUN / Oracle JVM Remote code execution
From: Thierry Zoller <Thierry@xxxxxxxxx>
Date: Wed, 22 Apr 2009 15:34:03 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Resent-cc: recipient list not shown: ;
Resent-date: Wed, 22 Apr 2009 07:34:47 -0600
Resent-from: Thierry Zoller <Thierry@xxxxxxxxx>
Resent-message-id: <200904221334.n3MDYke0025464@xxxxxxxxxxxxxxxxxxxxx>

______________________________________________________________________

              SUN/ORACLE JAVA VM Remote code execution 
______________________________________________________________________

Release mode: Coordinated.
Ref         : TZO-122009- SUN Java remote code execution
WWW         : 
http://blog.zoller.lu/2009/04/sunoracle-java-vm-remote-code-execution.html
Vendor          : http://www.sun.com
Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html


Affected Products:
- JVM Version 6 Update 1
- JVM Version 6 Update 2

I. Background
~~~~~~~~~~~~~
Dictionary.com : "The Java Virtual Machine (JVM) is software that converts 
the Java intermediate language (bytecode) into machine language and executes it.
The original JVM came from the JavaSoft division of Sun. Subsequently,
other vendors developed their own; for example, the Microsoft Virtual 
Machine is Microsoft's Java interpreter. A JVM is incorporated into 
a Web browser in order to execute Java applets. A JVM is also installed in a 
Web server to execute server-side Java programs. A JVM can also be installed 
in a client machine to run stand-alone Java applications."

II. Description
~~~~~~~~~~~~~~~
Please understand that no details will be given, too many bad guys
would use it for drive-by attacks. At this point in time (old + 
fixed) there is really no need to.


III. Impact
~~~~~~~~~~~
Memory corruption due to a write attempt to a user controlable offset.
i.e exploitable. The Java VM is reachable through every major browser.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~

19/11/2008 : Send proof of concept, description to Microsoft (sic), 
             as bug was triggered through IE. 

20/11/2008 : Microsoft asks for clarification 

21/11/2008 : Clarification sent.
             
12/12/2008 : Microsoft replicated the memory corruption in Version 6
             update 1 and recommends getting in contact with SUN         
             
12/12/2008 : Send proof of concept and description to SUN

16/12/2008 : Sun acknwoledges receipt. PGP keys are exchanged.

13/01/2009 : Asked for update from SUN

17/01/2009 : Asked for update and indicate this is the last request 
             prior to release if no answer is given.
             
12/03/2009 : SUN asks for more specific details

12/03/2009 : Details given

24/04/2009 : Notify SUN that I am drafting the advisory and would
             require feedback and details

24/04/2009 : SUN asks for a copy of the advisory and explains the 
             engineering team is still working on the case

07/04/2009 : Asks SUN for an update

08/04/2009 : Sun responds that the team is still working on the case

20/04/2009 : Asking for an update and details

20/04/2009 : SUN responds that the engineers could not reproduce in 
             Update 11 and 12

20/04/2009 : I test the new updates and can no longer reproduce the 
             issue

22/04/2009 : Release of this advisory

Prev by Date: SAP Cfolders Multiple Stored XSS Vulnerabilies
Next by Date: [Bkis-07-2009] 010 Editor Multiple Buffer Overflow Vulnerabilities
Previous by thread: SAP Cfolders Multiple Stored XSS Vulnerabilies
Next by thread: [Bkis-07-2009] 010 Editor Multiple Buffer Overflow Vulnerabilities
Index(es):
- Date
- Thread