RFC: Netx - Support VM arguments specified in the JNLP file

Deepak Bhole dbhole at redhat.com
Mon Jun 8 15:56:21 PDT 2009 

* Omair Majid <omajid at redhat.com> [2009-06-05 15:20]:

I can create an exploit with this patch

== BEGIN ==

1. Unzip the attached zip file in a location accessible via a web server
Note: You *must* copy it to a server accessible location since the attack 
relies on cache, which kicks in only when loading via a server.

2. Edit exploit-poc.jnlp and replace instances of "http://example.org/"
with http://<server>/<patch where you unzipped the file>/

3. Clear your cache files (/tmp/cache and ~/.icedteaplugin/cache)

4. Run:
javaws http://<server>/<path where you unzipped the file>/test.jnlp

This will throw an access exception:
java.security.AccessControlException: access denied
(java.util.PropertyPermission user.home read)

3. Now edit exploit-poc.jnlp and change the resource element from:
<j2se version="1.4+"/>

to:

<j2se version="1.4+" java-vm-args="-jar $LOCATION/Exploit.jar Exploit"/>

where "$LOCATION" is the location where exploit.jar is cached. Older 
versions cached it in /tmp/cache/<protocol>/<address>/patch/jarname 
while the newer ones do it in ~/.icedteaplugin/cache/.../ . If you are
unsure, just run 'find ~/.icedteaplugin/ /tmp/cache/ -name Exploit.jar'

4. Save exploit-poc.jnlp and re-load it via javaws

You will see a list of items in your home directory. This implies that
the unsigned code is running with full privileges.

== END ==

You can fix this by adding a check for -jar like others, but rather than
excluding specific items, it would be better to check for allowed
items. java-vm-args accepts only certain args:

http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguide/syntax.html

(scroll to resources element).

This covers any future arguments that might get added to java that allow
classpath specification.

Cheers,
Deepak
-------------- next part --------------
A non-text attachment was scrubbed...
Name: netx-jnlpvmargs-exploit-poc.zip
Type: application/zip
Size: 3084 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20090608/ae5fbc1f/netx-jnlpvmargs-exploit-poc.zip

More information about the distro-pkg-dev mailing list