module
Sun Java Runtime New Plugin docbase Buffer Overflow
Disclosed | Created |
---|---|
2010-10-12 | 2018-05-30 |
Disclosed
2010-10-12
Created
2018-05-30
Description
This module exploits a flaw in the new plugin component of the Sun Java
Runtime Environment before v6 Update 22. By specifying specific parameters
to the new plugin, an attacker can cause a stack-based buffer overflow and
execute arbitrary code.
When the new plugin is invoked with a "launchjnlp" parameter, it will
copy the contents of the "docbase" parameter to a stack-buffer using the
"sprintf" function. A string of 396 bytes is enough to overflow the 256
byte stack buffer and overwrite some local variables as well as the saved
return address.
NOTE: The string being copied is first passed through the "WideCharToMultiByte".
Due to this, only characters which have a valid localized multibyte
representation are allowed. Invalid characters will be replaced with
question marks ('?').
This vulnerability was originally discovered independently by both Stephen
Fewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn't
been done, all versions since version 6 Update 10 are believed to be affected
by this vulnerability.
This vulnerability was patched as part of the October 2010 Oracle Patch
release.
Runtime Environment before v6 Update 22. By specifying specific parameters
to the new plugin, an attacker can cause a stack-based buffer overflow and
execute arbitrary code.
When the new plugin is invoked with a "launchjnlp" parameter, it will
copy the contents of the "docbase" parameter to a stack-buffer using the
"sprintf" function. A string of 396 bytes is enough to overflow the 256
byte stack buffer and overwrite some local variables as well as the saved
return address.
NOTE: The string being copied is first passed through the "WideCharToMultiByte".
Due to this, only characters which have a valid localized multibyte
representation are allowed. Invalid characters will be replaced with
question marks ('?').
This vulnerability was originally discovered independently by both Stephen
Fewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn't
been done, all versions since version 6 Update 10 are believed to be affected
by this vulnerability.
This vulnerability was patched as part of the October 2010 Oracle Patch
release.
Author
jduck jduck@metasploit.com
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:

NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.