Advisory Details

October 12th, 2010

Oracle Java Runtime HeadspaceSoundbank.nGetName BANK Record Size Remote Code Execution Vulnerability

ZDI-10-208
ZDI-CAN-715

CVE ID CVE-2010-3559
CVSS SCORE 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
AFFECTED VENDORS Oracle
AFFECTED PRODUCTS Java Runtime
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 10073. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Oracle Java Runtime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the support for processing SoundBank files. While parsing BANK records, the HeadspaceSoundbank.nGetName function improperly sign-extends the one byte value into 4 bytes. It is later used as the size to a memcpy when operating on the BANK record's data. An attacker can abuse this to execute arbitrary code under the context of the user running the web browser.

ADDITIONAL DETAILS Oracle has issued an update to correct this vulnerability. More details can be found at:
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html
DISCLOSURE TIMELINE
  • 2010-06-23 - Vulnerability reported to vendor
  • 2010-10-12 - Coordinated public release of advisory
CREDIT Anonymous
BACK TO ADVISORIES