Saturday, 4 May 2013

Java Security Warning Bypass using JNLP

A flaw exist in Java 'performSSVValidation' method that if combined with JNLP will allow to launch an unsigned Java applet bypassing Security Warning pop-up window. There is undocumented parameter the flawed method accepts and if set to 'true' will instruct Java not to perform applet's signature check.

Sample of specially crafted JNLP file:

<resources> tag contains the name of the JAR file to launch followed by 'applet-desc' pointing at the class file to start the execution with. Setting parameter '__applet_ssv_validated' to 'true' allows for Security Warning window bypass.

This flaw is fixed with Java 1.7.21 update.

External sources:

No comments:

Post a Comment