CVE-2007-3655
published 2007-07-10CVE-2007-3655: Stack-based buffer overflow in javaws.exe in Sun Java Web Start in JRE 5.0 Update 11 and earlier, and 6.0 Update 1 and earlier, allows remote attackers to…
PriorityP345medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
12.27%
95.7th percentile
Stack-based buffer overflow in javaws.exe in Sun Java Web Start in JRE 5.0 Update 11 and earlier, and 6.0 Update 1 and earlier, allows remote attackers to execute arbitrary code via a long codebase attribute in a JNLP file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sun | jre | — | — |
| sun | jre | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger is a long `codebase` attribute in a JNLP file delivered to javaws.exe; monitor for JNLP files with abnormally long codebase attribute values (stack buffer is ~1 KB at offset -0x540). ↗
- →The vulnerable sprintf call is at address 0x00406253 in javaws.exe v6.0.10.6; the stack frame allocates a 1 KB FileName buffer at ebp-0x540. A crash or EIP overwrite at/near this address indicates exploitation. ↗
- →PoC exploit generates a malicious .JNLP file via a VBScript (JavaWebStartPOC.VBS); detect creation or download of .jnlp files containing oversized codebase attributes. ↗
- →The overflow is triggered through the JNLP codebase URL parsing path in Java Web Start; monitor javaws.exe spawning unexpected child processes or writing files outside expected temp directories. ↗
- ·Affected versions are JRE 5.0 Update 11 and earlier, and JRE 6.0 Update 1 and earlier, on Windows, Solaris, and Linux. Patched versions are not vulnerable. ↗
- ·The PoC was tested specifically against javaws.exe version 6.0.10.6; the vulnerable code offsets (e.g., 0x00406208, 0x00406253) are specific to that binary build and may differ in other builds. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mhwx-cv4j-f56v: Stack-based buffer overflow in javaws
ghsa_unreviewed·2022-05-01
CVE-2007-3655 [MEDIUM] CWE-119 GHSA-mhwx-cv4j-f56v: Stack-based buffer overflow in javaws
Stack-based buffer overflow in javaws.exe in Sun Java Web Start in JRE 5.0 Update 11 and earlier, and 6.0 Update 1 and earlier, allows remote attackers to execute arbitrary code via a long codebase attribute in a JNLP file.
Red Hat
A buffer overflow vulnerability in Java Web Start URL parsing code
vendor_redhat·2007-07-10·CVSS 6.8
CVE-2007-3655 [MEDIUM] A buffer overflow vulnerability in Java Web Start URL parsing code
A buffer overflow vulnerability in Java Web Start URL parsing code
Stack-based buffer overflow in javaws.exe in Sun Java Web Start in JRE 5.0 Update 11 and earlier, and 6.0 Update 1 and earlier, allows remote attackers to execute arbitrary code via a long codebase attribute in a JNLP file.
No detection rules found.
Exploit-DB
Sun Java WebStart - JNLP Stack Buffer Overflow (PoC)
exploitdb·2007-07-10
CVE-2007-3655 Sun Java WebStart - JNLP Stack Buffer Overflow (PoC)
Sun Java WebStart - JNLP Stack Buffer Overflow (PoC)
---
'-----------------------------------------------------------------------------------------------
' Java Web Start Buffer Overflow POC Exploit
'
' FileName: JavaWebStartPOC.VBS
' Contact: ZhenHan.Liu#ph4nt0m.org
' Date: 2007-07-10
' Team: http://www.ph4nt0m.org
' Enviroment: Tested on JRE 1.6, javaws.exe v6.0.10.6
' Reference: http://seclists.org/fulldisclosure/2007/Jul/0155.html
' Usage: I did not put a real alpha shellcode here, you'd replace it with your own.
'
' Code(javaws.exe):
' .text:00406208 ; *************** S U B R O U T I N E ***************************************
' .text:00406208
' .text:00406208 ; Attributes: bp-based frame
' .text:00406208
' .text:00406208 sub_406208 proc near ; CODE XREF: sub_405468+4E p
' .text:004
Exploit-DB
Sun Java Runtime Environment 1.6 - Web Start '.JNLP' File Stack Buffer Overflow
exploitdb·2007-07-09
CVE-2007-3655 Sun Java Runtime Environment 1.6 - Web Start '.JNLP' File Stack Buffer Overflow
Sun Java Runtime Environment 1.6 - Web Start '.JNLP' File Stack Buffer Overflow
---
source: https://www.securityfocus.com/bid/24832/info
Sun Java Runtime Environment is prone to a stack-based buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will likely result in a denial-of-service condition.
This issue affects these versions:
Java Runtime Environment 6 update 1
Java Runtime Environment 5 update 11
Prior versions are also affected.
'-----------------------------------------------------------------------------------------------
' J
http://docs.info.apple.com/article.html?artnum=307177http://lists.apple.com/archives/Security-announce/2007/Dec/msg00001.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064552.htmlhttp://osvdb.org/37756http://research.eeye.com/html/advisories/published/AD20070705.htmlhttp://secunia.com/advisories/25981http://secunia.com/advisories/26314http://secunia.com/advisories/26369http://secunia.com/advisories/27266http://secunia.com/advisories/28115http://secunia.com/advisories/29858http://secunia.com/advisories/30780http://security.gentoo.org/glsa/glsa-200804-28.xmlhttp://securityreason.com/securityalert/2874http://sunsolve.sun.com/search/document.do?assetkey=1-26-102996-1http://www.exploit-db.com/exploits/30284http://www.gentoo.org/security/en/glsa/glsa-200804-20.xmlhttp://www.gentoo.org/security/en/glsa/glsa-200806-11.xmlhttp://www.novell.com/linux/security/advisories/2007_56_ibmjava.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0818.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0829.htmlhttp://www.securityfocus.com/archive/1/473224/100/0/threadedhttp://www.securityfocus.com/archive/1/473356/100/0/threadedhttp://www.securityfocus.com/bid/24832http://www.securitytracker.com/id?1018346http://www.vupen.com/english/advisories/2007/2477http://www.vupen.com/english/advisories/2007/4224https://exchange.xforce.ibmcloud.com/vulnerabilities/35320https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11367http://docs.info.apple.com/article.html?artnum=307177http://lists.apple.com/archives/Security-announce/2007/Dec/msg00001.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064552.htmlhttp://osvdb.org/37756http://research.eeye.com/html/advisories/published/AD20070705.htmlhttp://secunia.com/advisories/25981http://secunia.com/advisories/26314http://secunia.com/advisories/26369http://secunia.com/advisories/27266http://secunia.com/advisories/28115http://secunia.com/advisories/29858http://secunia.com/advisories/30780http://security.gentoo.org/glsa/glsa-200804-28.xmlhttp://securityreason.com/securityalert/2874http://sunsolve.sun.com/search/document.do?assetkey=1-26-102996-1http://www.exploit-db.com/exploits/30284http://www.gentoo.org/security/en/glsa/glsa-200804-20.xmlhttp://www.gentoo.org/security/en/glsa/glsa-200806-11.xmlhttp://www.novell.com/linux/security/advisories/2007_56_ibmjava.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0818.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0829.htmlhttp://www.securityfocus.com/archive/1/473224/100/0/threadedhttp://www.securityfocus.com/archive/1/473356/100/0/threadedhttp://www.securityfocus.com/bid/24832http://www.securitytracker.com/id?1018346http://www.vupen.com/english/advisories/2007/2477http://www.vupen.com/english/advisories/2007/4224https://exchange.xforce.ibmcloud.com/vulnerabilities/35320https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11367
2007-07-10
Published