Saturday, 4 May 2013

Java Security Warning Bypass using JNLP

A flaw exist in Java 'performSSVValidation' method that if combined with JNLP will allow to launch an unsigned Java applet bypassing Security Warning pop-up window. There is undocumented parameter the flawed method accepts and if set to 'true' will instruct Java not to perform applet's signature check.

Sample of specially crafted JNLP file:


<resources> tag contains the name of the JAR file to launch followed by 'applet-desc' pointing at the class file to start the execution with. Setting parameter '__applet_ssv_validated' to 'true' allows for Security Warning window bypass.

This flaw is fixed with Java 1.7.21 update.

External sources:
http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html
http://security-obscurity.blogspot.no/2013/04/the-latest-java-exploit-with-security.html

0 comments:

Post a Comment