Vigil@nce - IcedTea-Web: interaction with LiveConnect
February 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can access to IcedTea-Web LiveConnect sockets, in
order to interact with the web session of another user.
Impacted products: Unix (platform)
Severity: 2/4
Creation date: 10/02/2014
DESCRIPTION OF THE VULNERABILITY
The LiveConnect product is used to interact with a Java applet,
using JavaScript code. IcedTea-Web uses sockets located in a
temporary directory.
However, the directory name is predictable (icedteaplugin-user),
and is located in a publicly writable directory, so the attacker
can create (and thus own) the directory before its usage. The
attacker can then delete the socket created by IcedTea-Web, in
order to replace it by its own socket.
A local attacker can therefore access to IcedTea-Web LiveConnect
sockets, in order to interact with the web session of another user.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/IcedTea-Web-interaction-with-LiveConnect-14197