Tuesday, 6 April 2010

Sun Java CMM readMabCurveData Stack Buffer Overflow Vulnerability

TippingPoint's Zero Day Initiative (ZDI) have published an advisory for a stack based buffer overflow vulnerability in Sun Microsystems (A subsidiary of Oracle) Java. The flaw is found within the readMabCurveData function in the CMM module. The vulnerability effects all version of Java on Windows, Linux and Solaris over the last 5 years on both the x86 and x64 architectures. The Mac OSX Java build is also effected.

The vulnerability can be exploited by an attacker through a malicious Java applet embedded in a web page and leads to arbitrary code execution in the context of the user who visits the web page. Due to this vulnerability being a stack buffer overflow, reliable exploitation is trivial and mitigation's such as DEP and ASLR can easily be bypassed thanks to the Java Virtual Machine's heap being executable as well as maintaining a predictable layout.

This vulnerability was discovered by Stephen Fewer of Harmony Security.

You can read the full ZDI advisory here:

You can read the full Oracle advisory here:


Anonymous said...

I guess Oracle have not heard of the /GS compiler switch.

Anonymous said...

Nice find!

readMabCurveData seems to correspond to function cmsReadICCLut in OpenJDK. But how do you reach it using Java?


Stephen Fewer said...

@Anonymous (#1): ...they should look into the /DYNAMICBASE switch too for the entire JVM ;) although to be fair, on Windows, some of the later x64 versions of CMM.dll do have /GS applied but none of the x86 versions do. The Linux, Solaris and Mac OSX builds didn't have anything similar applied either IIRC.

@Anonymous (#2): Haven't released the those details yet but it should be an easy enough bug to reverse out.