cbcvebase.
CVE-2007-3655
published 2007-07-10

CVE-2007-3655: Stack-based buffer overflow in javaws.exe in Sun Java Web Start in JRE 5.0 Update 11 and earlier, and 6.0 Update 1 and earlier, allows remote attackers to…

PriorityP345medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
12.27%
95.7th percentile
Stack-based buffer overflow in javaws.exe in Sun Java Web Start in JRE 5.0 Update 11 and earlier, and 6.0 Update 1 and earlier, allows remote attackers to execute arbitrary code via a long codebase attribute in a JNLP file.

Affected

2 ranges
VendorProductVersion rangeFixed in
sunjre
sunjre

Detection & IOCsextracted from sources · hover to see the quote

filenameJavaWebStartPOC.VBS
filenamejavaws.exe
commandsprintf copy codebase to 1k stack buffer
  • Trigger is a long `codebase` attribute in a JNLP file delivered to javaws.exe; monitor for JNLP files with abnormally long codebase attribute values (stack buffer is ~1 KB at offset -0x540).
  • The vulnerable sprintf call is at address 0x00406253 in javaws.exe v6.0.10.6; the stack frame allocates a 1 KB FileName buffer at ebp-0x540. A crash or EIP overwrite at/near this address indicates exploitation.
  • PoC exploit generates a malicious .JNLP file via a VBScript (JavaWebStartPOC.VBS); detect creation or download of .jnlp files containing oversized codebase attributes.
  • The overflow is triggered through the JNLP codebase URL parsing path in Java Web Start; monitor javaws.exe spawning unexpected child processes or writing files outside expected temp directories.
  • ·Affected versions are JRE 5.0 Update 11 and earlier, and JRE 6.0 Update 1 and earlier, on Windows, Solaris, and Linux. Patched versions are not vulnerable.
  • ·The PoC was tested specifically against javaws.exe version 6.0.10.6; the vulnerable code offsets (e.g., 0x00406208, 0x00406253) are specific to that binary build and may differ in other builds.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.