lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5214F1D9.3090305@fuzzmyapp.com>
Date: Wed, 21 Aug 2013 18:59:05 +0200
From: FuzzMyApp Disclosure <disclosure@...zmyapp.com>
To: full-disclosure@...ts.grok.org.uk
Subject: CVE-2013-4099 - JOAL 2.0-rc11 - Multiple Remote
	Code Execution Vulnerabilities


0. Introduction

    Vendor description:
    The JOAL Project hosts a reference implementation of the Java
bindings for OpenAL API,
    and is designed to provide hardware-supported 3D specialized audio
for games written in Java.

1. Affected software
    JOAL 2.0-rc11

2. Vulnerability
    FuzzMyApp team have identified several bugs in OpenAL32.dll, which
can lead to code execution.
    OpenAL32.dll is distributed in signed jar files. It allows to create
malicious applet.
    If user had not used any of JogAmp's libraries before, one needs to
accept installation.
    If user has a Sven Gothel certificate among Java trusted
certificates (i.e. used JogAmp before),
    no interaction is needed.

    Vulnerable methods:
    01. jogamp.openal.ALImpl.dispatch.alAuxiliaryEffectSlotf1(IIFJ)V
    02. jogamp.openal.ALImpl.dispatch.alBuffer3f1(IIFFFJ)V
    03. jogamp.openal.ALImpl.dispatch.alBufferfv1(IILjava/lang/Object;IZJ)V
    04.
jogamp.openal.ALImpl.dispatch.alDeleteEffects1(ILjava/lang/Object;IZJ)V
    05. jogamp.openal.ALImpl.dispatch.alEffectf1(IIFJ)V
    06. jogamp.openal.ALImpl.dispatch.alEffectfv1(IILjava/lang/Object;IZJ)V
    07. jogamp.openal.ALImpl.dispatch.alEffectiv1(IILjava/lang/Object;IZJ)V
    08. jogamp.openal.ALImpl.dispatch.alEnable1(IJ)V
    09. jogamp.openal.ALImpl.dispatch.alFilterfv1(IILjava/lang/Object;IZJ)V
    10. jogamp.openal.ALImpl.dispatch.alFilteriv1(IILjava/lang/Object;IZJ)V
    11.
jogamp.openal.ALImpl.dispatch.alGenAuxiliaryEffectSlots1(ILjava/lang/Object;IZJ)V
    12. jogamp.openal.ALImpl.dispatch.alGenEffects1(ILjava/lang/Object;IZJ)V
    13. jogamp.openal.ALImpl.dispatch.alGenFilters1(ILjava/lang/Object;IZJ)V
    14. jogamp.openal.ALImpl.dispatch.alGenSources1(ILjava/lang/Object;IZJ)V
    15.
jogamp.openal.ALImpl.dispatch.alGetAuxiliaryEffectSlotiv1(IILjava/lang/Object;IZJ)V
    16.
jogamp.openal.ALImpl.dispatch.alGetBuffer3f1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
    17.
jogamp.openal.ALImpl.dispatch.alGetBuffer3i1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
    18.
jogamp.openal.ALImpl.dispatch.alGetBufferf1(IILjava/lang/Object;IZJ)V
    19.
jogamp.openal.ALImpl.dispatch.alGetBufferiv1(IILjava/lang/Object;IZJ)V
    20. jogamp.openal.ALImpl.dispatch.alGetDoublev1(ILjava/lang/Object;IZJ)V
    21.
jogamp.openal.ALImpl.dispatch.alGetEffectf1(IILjava/lang/Object;IZJ)V
    22.
jogamp.openal.ALImpl.dispatch.alGetEffectfv1(IILjava/lang/Object;IZJ)V
    23.
jogamp.openal.ALImpl.dispatch.alGetEffectiv1(IILjava/lang/Object;IZJ)V
    24. jogamp.openal.ALImpl.dispatch.alGetEnumValue1(Ljava/lang/String;J)I
    25.
jogamp.openal.ALImpl.dispatch.alGetFilteri1(IILjava/lang/Object;IZJ)V
    26.
jogamp.openal.ALImpl.dispatch.alGetFilteriv1(IILjava/lang/Object;IZJ)V
    27. jogamp.openal.ALImpl.dispatch.alGetFloat1(IJ)F
    28. jogamp.openal.ALImpl.dispatch.alGetFloatv1(ILjava/lang/Object;IZJ)V
    29.
jogamp.openal.ALImpl.dispatch.alGetListener3f1(ILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
    30.
jogamp.openal.ALImpl.dispatch.alGetListener3i1(ILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
    31.
jogamp.openal.ALImpl.dispatch.alGetListenerf1(ILjava/lang/Object;IZJ)V
    32.
jogamp.openal.ALImpl.dispatch.alGetListeneri1(ILjava/lang/Object;IZJ)V
    33.
jogamp.openal.ALImpl.dispatch.alGetListeneriv1(ILjava/lang/Object;IZJ)V
    34.
jogamp.openal.ALImpl.dispatch.alGetProcAddress1(Ljava/lang/String;J)J
    35.
jogamp.openal.ALImpl.dispatch.alGetProcAddressStatic(Ljava/lang/String;J)J
    36.
jogamp.openal.ALImpl.dispatch.alGetSource3f1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
    37.
jogamp.openal.ALImpl.dispatch.alGetSource3i1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
    38.
jogamp.openal.ALImpl.dispatch.alGetSourcef1(IILjava/lang/Object;IZJ)V
    39.
jogamp.openal.ALImpl.dispatch.alGetSourcefv1(IILjava/lang/Object;IZJ)V
    40.
jogamp.openal.ALImpl.dispatch.alGetSourcei1(IILjava/lang/Object;IZJ)V
    41.
jogamp.openal.ALImpl.dispatch.alGetSourceiv1(IILjava/lang/Object;IZJ)V
    42. jogamp.openal.ALImpl.dispatch.alGetString1(IJ)Ljava/lang/String;
    43. jogamp.openal.ALImpl.dispatch.alIsAuxiliaryEffectSlot1(IJ)Z
    44. jogamp.openal.ALImpl.dispatch.alIsBuffer1(IJ)Z
    45. jogamp.openal.ALImpl.dispatch.alIsEffect1(IJ)Z
    46.
jogamp.openal.ALImpl.dispatch.alIsExtensionPresent1(Ljava/lang/String;J)Z
    47. jogamp.openal.ALImpl.dispatch.alIsFilter1(IJ)Z
    48. jogamp.openal.ALImpl.dispatch.alListener3f1(IFFFJ)V
    49. jogamp.openal.ALImpl.dispatch.alListener3i1(IIIIJ)V
    50. jogamp.openal.ALImpl.dispatch.alListenerf1(IFJ)V
    51. jogamp.openal.ALImpl.dispatch.alListenerfv1(ILjava/lang/Object;IZJ)V
    52. jogamp.openal.ALImpl.dispatch.alListeneri1(IIJ)V
    53. jogamp.openal.ALImpl.dispatch.alListeneriv1(ILjava/lang/Object;IZJ)V
    54. jogamp.openal.ALImpl.dispatch.alSource3f1(IIFFFJ)V
    55. jogamp.openal.ALImpl.dispatch.alSource3i1(IIIIIJ)V
    56. jogamp.openal.ALImpl.dispatch.alSourcef1(IIFJ)V
    57. jogamp.openal.ALImpl.dispatch.alSourcefv1(IILjava/lang/Object;IZJ)V
    58. jogamp.openal.ALImpl.dispatch.alSourcei1(IIIJ)V
    59. jogamp.openal.ALImpl.dispatch.alSourceiv1(IILjava/lang/Object;IZJ)V
    60. jogamp.openal.ALImpl.dispatch.alSourcePause1(IJ)V
    61.
jogamp.openal.ALImpl.dispatch.alSourcePausev1(ILjava/lang/Object;IZJ)V
    62. jogamp.openal.ALImpl.dispatch.alSourcePlay1(IJ)V
    63.
jogamp.openal.ALImpl.dispatch.alSourcePlayv1(ILjava/lang/Object;IZJ)V
    64.
jogamp.openal.ALImpl.dispatch.alSourceQueueBuffers1(IILjava/lang/Object;IZJ)V
    65.
jogamp.openal.ALImpl.dispatch.alSourceRewindv1(ILjava/lang/Object;IZJ)V
    66. jogamp.openal.ALImpl.dispatch.alSourceStop1(IJ)V
    67.
jogamp.openal.ALImpl.dispatch.alSourceStopv1(ILjava/lang/Object;IZJ)V
    68.
jogamp.openal.ALImpl.dispatch.alSourceUnqueueBuffers1(IILjava/lang/Object;IZJ)V
    69. jogamp.openal.ALImpl.dispatch.alSpeedOfSound1(FJ)V

    Malformed methods parameters allow full control of EIP register,
which leads
    to remote code execution.
    Crash dumps are avaliable here:
http://www.fuzzmyapp.com/advisories/FMA-2012-038/FMA-2012-038-EN.xml.    

3. Fix
    JOGAMP released new version (2.0.2-rc12) fixing JOAL issues.
    All previous signed JAR files have been removed.
    Signed JAR files restricted to codebase '*.jogamp.org'.
    Latest JOAL implementation does not depend on buggy OpenAL library.

4. Credit
    FuzzMyApp Team
    http://www.fuzzmyapp.com/
    
5. References
    http://www.fuzzmyapp.com/advisories/FMA-2012-038/FMA-2012-038-EN.xml
    http://forum.jogamp.org/Release-2-0-2-rc12-td4029471.html
    http://labb.zafena.se/?p=799
   
- FuzzMyApp

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ