German | English
n.runs AG - Company
 
 
n.runs AG
Services by n.runs
IT INFRASTRUCTURE
IT SECURITY
IT BUSINESS CONSULTING
IT SOFTWARE

n.runs AG
Nassauer Straße 60
D-61440 Oberursel
Phone: +49 (0) 6171/699-0
Fax: +49 (0) 6171/699-199
E-mail: contact@nruns.com
Newsletter signup
Imprint

n.runs-SA-2007.007 Sun Microsystems, Inc., Java Web Console Format string vulnerability

n.runs AG
http://www.nruns.com
n.runs-SA-2007.007

security(at)nruns.com
18-Apr-2007

* * *

Vendor: Sun Microsystems, Inc., http://www.sun.com
Affected Products: Solaris 10, Java Web Console 2.2.2 - 2.2.5
Vulnerability: Format string vulnerability

Risk:              HIGH
CVE ID:         CVE-2007-1681
Sun Alert ID: 102854
SUN bug ID: 6505096

Vendor communication:
2006/12/10Initial notification of the Sun Security Coordination Team.
2006/12/15Sending reminder.
2006/12/15Sun provides feedback about the further procedure.
2006/12/23Sun confirms vulnerability and assigns bug ID.
2007/02/06Requesting update.
2007/02/07Sun provides feedback. Fix for the most recent version ready.
2007/02/14Sun informs n.runs that the fix for Sun Java Web Console 2.2.4 has been approved and will soon be integrated. Fixes were identified for all other vulnerable versions.
2007/03/05Requesting update.
2007/03/07Sun awaits patch generation and the start of testing cycles.
2007/03/20Sun informs n.runs that patches will be released for Solaris 10. Unbundled versions have to be upgraded to version 2.2.6.
2007/03/25Requesting Sun Alert draft.
2007/03/31Sun sends draft of Sun Alert. Patches have been completed and the upgrade release is in work.
2007/04/14Sun sents public disclosure date.

Systems Affected:
According to the Sun Security Coordination Team, Solaris 10 Operating System, Sun Java Web Console 2.2.2, Sun Java Web Console 2.2.3, Sun Java Web Console 2.2.4 and Sun Java Web Console 2.2.5 are affected.

The existence of the vulnerability was verified by n.runs on fully-patched installations of Solaris 10 6/06 on SPARC and x86 Platform running Sun Java Web Console 2.2.4.

Overview:
A remote exploitable format string vulnerability has been identified in the in the Sun Java Web Console [1].

Description:
The Sun Java Web Console is vulnerable to a format string vulnerability. The root cause of the format string vulnerability lies in the logging of failed logins, therefore this vulnerability is exploitable by unauthenticated remote users.

The vulnerability exists as the libc syslog function is called in /usr/lib/libwebconsole_services.so with two (2) instead of at least three (3) arguments which enables an attacker to influence the message buffer.

Impact:
The exploitation of this vulnerability may result in unauthorised remote code execution or cause a denial of service condition by crashing the Java Web Console service.

Solution:
Update to Sun Java Web Console 2.2.6 or later. Patches for Solaris 10 were released by SUN Microsystems to address this issue, a workaround designed by Sun Microsystems is available. [2]

Credit:
Vulnerability found by Frank Dick of n.runs AG.
Additional credits to Felix Lindner of Sabre Labs GmbH for supporting the vulnerability research.

References:
[1] http://docs.sun.com/app/docs/doc/817-1985/6mhm8o5kh?a=view
[2] http://sunsolve.sun.com/search/document.do?assetkey=1-26-102854-1

Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security@nruns.com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages.

Copyright 2007 n.runs AG. All rights reserved. Terms of apply.
Penetration Test
 

27 Oct 2008:
Advisory: Eaton MGE OPS Network Shutdown Moduleauthentication bypass and code execution

* * *

21 Oct 2008:
Advisory: Internet Explorer HTML Object Memory Corruption

* * *

30 September 2008:
Corporate News
Figures from the first half of 2008 confirm expansion
+++ Revenues increase by around 30 percent to EUR 3.32m EBITDA improved
+++ by EUR 0.27m to EUR -0.35m Profit impacted by software investments,
+++ consulting profitable Outlook 2008


* * *

17 Sep 2008:
Corporate News
Microsoft selects n.runs as a member of the new program Microsoft Secure Development Lifecycle Pro Network
+++ n.runs AG exclusive member of Microsoft SDL Pro Network
+++ Only member of the MS SDL Pro Network on the European mainland
+++ Medium-term contribution to revenues in excess of 10 percent planned
* * *

10 Sep 2008:
Advisory alert:
Cross-Site Scripting Filter Evasion in various frameworks

* * *

10 Sep 2008:
Advisory alert: 
Horde Framework Cross-Site Scripting in filename MIME attachments

* * *

26 Aug 2008:
Press-release
IT Security for Governments and Military Organizations:
n.runs and Thales Now Co-operating


* * *

25 Aug 2008:
Press-release
Growing threat:
serious attacks on E-Mail-/AV systems constantly increasing n.runs introduces aps-AV – Protective cover for antivirus software


* * *

01 Aug 2008:
Advisory alert:  
MacOS X - CoreServices Framework's CarbonCore FrameworkArbitrary Code Execution