| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Aug 2013 18:59:05 +0200
From: FuzzMyApp Disclosure <disclosure@...zmyapp.com>
To: full-disclosure@...ts.grok.org.uk
Subject: CVE-2013-4099 - JOAL 2.0-rc11 - Multiple Remote
Code Execution Vulnerabilities
0. Introduction
Vendor description:
The JOAL Project hosts a reference implementation of the Java
bindings for OpenAL API,
and is designed to provide hardware-supported 3D specialized audio
for games written in Java.
1. Affected software
JOAL 2.0-rc11
2. Vulnerability
FuzzMyApp team have identified several bugs in OpenAL32.dll, which
can lead to code execution.
OpenAL32.dll is distributed in signed jar files. It allows to create
malicious applet.
If user had not used any of JogAmp's libraries before, one needs to
accept installation.
If user has a Sven Gothel certificate among Java trusted
certificates (i.e. used JogAmp before),
no interaction is needed.
Vulnerable methods:
01. jogamp.openal.ALImpl.dispatch.alAuxiliaryEffectSlotf1(IIFJ)V
02. jogamp.openal.ALImpl.dispatch.alBuffer3f1(IIFFFJ)V
03. jogamp.openal.ALImpl.dispatch.alBufferfv1(IILjava/lang/Object;IZJ)V
04.
jogamp.openal.ALImpl.dispatch.alDeleteEffects1(ILjava/lang/Object;IZJ)V
05. jogamp.openal.ALImpl.dispatch.alEffectf1(IIFJ)V
06. jogamp.openal.ALImpl.dispatch.alEffectfv1(IILjava/lang/Object;IZJ)V
07. jogamp.openal.ALImpl.dispatch.alEffectiv1(IILjava/lang/Object;IZJ)V
08. jogamp.openal.ALImpl.dispatch.alEnable1(IJ)V
09. jogamp.openal.ALImpl.dispatch.alFilterfv1(IILjava/lang/Object;IZJ)V
10. jogamp.openal.ALImpl.dispatch.alFilteriv1(IILjava/lang/Object;IZJ)V
11.
jogamp.openal.ALImpl.dispatch.alGenAuxiliaryEffectSlots1(ILjava/lang/Object;IZJ)V
12. jogamp.openal.ALImpl.dispatch.alGenEffects1(ILjava/lang/Object;IZJ)V
13. jogamp.openal.ALImpl.dispatch.alGenFilters1(ILjava/lang/Object;IZJ)V
14. jogamp.openal.ALImpl.dispatch.alGenSources1(ILjava/lang/Object;IZJ)V
15.
jogamp.openal.ALImpl.dispatch.alGetAuxiliaryEffectSlotiv1(IILjava/lang/Object;IZJ)V
16.
jogamp.openal.ALImpl.dispatch.alGetBuffer3f1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
17.
jogamp.openal.ALImpl.dispatch.alGetBuffer3i1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
18.
jogamp.openal.ALImpl.dispatch.alGetBufferf1(IILjava/lang/Object;IZJ)V
19.
jogamp.openal.ALImpl.dispatch.alGetBufferiv1(IILjava/lang/Object;IZJ)V
20. jogamp.openal.ALImpl.dispatch.alGetDoublev1(ILjava/lang/Object;IZJ)V
21.
jogamp.openal.ALImpl.dispatch.alGetEffectf1(IILjava/lang/Object;IZJ)V
22.
jogamp.openal.ALImpl.dispatch.alGetEffectfv1(IILjava/lang/Object;IZJ)V
23.
jogamp.openal.ALImpl.dispatch.alGetEffectiv1(IILjava/lang/Object;IZJ)V
24. jogamp.openal.ALImpl.dispatch.alGetEnumValue1(Ljava/lang/String;J)I
25.
jogamp.openal.ALImpl.dispatch.alGetFilteri1(IILjava/lang/Object;IZJ)V
26.
jogamp.openal.ALImpl.dispatch.alGetFilteriv1(IILjava/lang/Object;IZJ)V
27. jogamp.openal.ALImpl.dispatch.alGetFloat1(IJ)F
28. jogamp.openal.ALImpl.dispatch.alGetFloatv1(ILjava/lang/Object;IZJ)V
29.
jogamp.openal.ALImpl.dispatch.alGetListener3f1(ILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
30.
jogamp.openal.ALImpl.dispatch.alGetListener3i1(ILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
31.
jogamp.openal.ALImpl.dispatch.alGetListenerf1(ILjava/lang/Object;IZJ)V
32.
jogamp.openal.ALImpl.dispatch.alGetListeneri1(ILjava/lang/Object;IZJ)V
33.
jogamp.openal.ALImpl.dispatch.alGetListeneriv1(ILjava/lang/Object;IZJ)V
34.
jogamp.openal.ALImpl.dispatch.alGetProcAddress1(Ljava/lang/String;J)J
35.
jogamp.openal.ALImpl.dispatch.alGetProcAddressStatic(Ljava/lang/String;J)J
36.
jogamp.openal.ALImpl.dispatch.alGetSource3f1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
37.
jogamp.openal.ALImpl.dispatch.alGetSource3i1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
38.
jogamp.openal.ALImpl.dispatch.alGetSourcef1(IILjava/lang/Object;IZJ)V
39.
jogamp.openal.ALImpl.dispatch.alGetSourcefv1(IILjava/lang/Object;IZJ)V
40.
jogamp.openal.ALImpl.dispatch.alGetSourcei1(IILjava/lang/Object;IZJ)V
41.
jogamp.openal.ALImpl.dispatch.alGetSourceiv1(IILjava/lang/Object;IZJ)V
42. jogamp.openal.ALImpl.dispatch.alGetString1(IJ)Ljava/lang/String;
43. jogamp.openal.ALImpl.dispatch.alIsAuxiliaryEffectSlot1(IJ)Z
44. jogamp.openal.ALImpl.dispatch.alIsBuffer1(IJ)Z
45. jogamp.openal.ALImpl.dispatch.alIsEffect1(IJ)Z
46.
jogamp.openal.ALImpl.dispatch.alIsExtensionPresent1(Ljava/lang/String;J)Z
47. jogamp.openal.ALImpl.dispatch.alIsFilter1(IJ)Z
48. jogamp.openal.ALImpl.dispatch.alListener3f1(IFFFJ)V
49. jogamp.openal.ALImpl.dispatch.alListener3i1(IIIIJ)V
50. jogamp.openal.ALImpl.dispatch.alListenerf1(IFJ)V
51. jogamp.openal.ALImpl.dispatch.alListenerfv1(ILjava/lang/Object;IZJ)V
52. jogamp.openal.ALImpl.dispatch.alListeneri1(IIJ)V
53. jogamp.openal.ALImpl.dispatch.alListeneriv1(ILjava/lang/Object;IZJ)V
54. jogamp.openal.ALImpl.dispatch.alSource3f1(IIFFFJ)V
55. jogamp.openal.ALImpl.dispatch.alSource3i1(IIIIIJ)V
56. jogamp.openal.ALImpl.dispatch.alSourcef1(IIFJ)V
57. jogamp.openal.ALImpl.dispatch.alSourcefv1(IILjava/lang/Object;IZJ)V
58. jogamp.openal.ALImpl.dispatch.alSourcei1(IIIJ)V
59. jogamp.openal.ALImpl.dispatch.alSourceiv1(IILjava/lang/Object;IZJ)V
60. jogamp.openal.ALImpl.dispatch.alSourcePause1(IJ)V
61.
jogamp.openal.ALImpl.dispatch.alSourcePausev1(ILjava/lang/Object;IZJ)V
62. jogamp.openal.ALImpl.dispatch.alSourcePlay1(IJ)V
63.
jogamp.openal.ALImpl.dispatch.alSourcePlayv1(ILjava/lang/Object;IZJ)V
64.
jogamp.openal.ALImpl.dispatch.alSourceQueueBuffers1(IILjava/lang/Object;IZJ)V
65.
jogamp.openal.ALImpl.dispatch.alSourceRewindv1(ILjava/lang/Object;IZJ)V
66. jogamp.openal.ALImpl.dispatch.alSourceStop1(IJ)V
67.
jogamp.openal.ALImpl.dispatch.alSourceStopv1(ILjava/lang/Object;IZJ)V
68.
jogamp.openal.ALImpl.dispatch.alSourceUnqueueBuffers1(IILjava/lang/Object;IZJ)V
69. jogamp.openal.ALImpl.dispatch.alSpeedOfSound1(FJ)V
Malformed methods parameters allow full control of EIP register,
which leads
to remote code execution.
Crash dumps are avaliable here:
http://www.fuzzmyapp.com/advisories/FMA-2012-038/FMA-2012-038-EN.xml.
3. Fix
JOGAMP released new version (2.0.2-rc12) fixing JOAL issues.
All previous signed JAR files have been removed.
Signed JAR files restricted to codebase '*.jogamp.org'.
Latest JOAL implementation does not depend on buggy OpenAL library.
4. Credit
FuzzMyApp Team
http://www.fuzzmyapp.com/
5. References
http://www.fuzzmyapp.com/advisories/FMA-2012-038/FMA-2012-038-EN.xml
http://forum.jogamp.org/Release-2-0-2-rc12-td4029471.html
http://labb.zafena.se/?p=799
- FuzzMyApp
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists