Vigil@nce: Java JRE, code execution via .hotspotrc
July 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can invite the victim to open an HTML page calling a
Java applet located on a network share, in order to execute code
on is computer.
– Severity: 2/4
– Creation date: 11/07/2011
IMPACTED PRODUCTS
– Java JRE/JDK
DESCRIPTION OF THE VULNERABILITY
The Java HotSpot Virtual Machine is a component of Java SE.
The Hotspot VM can be configured with the following files:
– .hotspotrc : indicates arguments of the command line (define
the memory size, etc.)
– .hotspot_compiler : alters the JIT behavior (exclude methods,
etc.)
Both files are usually located in the Java application directory.
However, an attacker with a network share can store:
– a malicious program named "malicious.exe"
– a .hotspotrc file containing: OnOutOfMemoryError="malicious.exe"
(to indicate that malicious.exe has to be executed when a
memory error occurs)
– a Java applet, creating an out of memory error
– an HTML file calling this Java applet
An attacker can therefore invite the victim to open this HTML page
calling a Java applet located on a network share, in order to
execute code on is computer.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Java-JRE-code-execution-via-hotspotrc-10825