what you don't know can hurt you

JOAL 2.0-rc11 Remote Code Execution

JOAL 2.0-rc11 Remote Code Execution
Posted Aug 23, 2013
Authored by FuzzMyApp Disclosure

JOAL version 2.0-rc11 suffers from remote code execution vulnerabilities.

tags | advisory, remote, vulnerability, code execution
advisories | CVE-2013-4099
MD5 | 26736c020d17c2ab3570ed692eacdd06

JOAL 2.0-rc11 Remote Code Execution

Change Mirror Download

0. Introduction

Vendor description:
The JOAL Project hosts a reference implementation of the Java
bindings for OpenAL API,
and is designed to provide hardware-supported 3D specialized audio
for games written in Java.

1. Affected software
JOAL 2.0-rc11

2. Vulnerability
FuzzMyApp team have identified several bugs in OpenAL32.dll, which
can lead to code execution.
OpenAL32.dll is distributed in signed jar files. It allows to create
malicious applet.
If user had not used any of JogAmp's libraries before, one needs to
accept installation.
If user has a Sven Gothel certificate among Java trusted
certificates (i.e. used JogAmp before),
no interaction is needed.

Vulnerable methods:
01. jogamp.openal.ALImpl.dispatch.alAuxiliaryEffectSlotf1(IIFJ)V
02. jogamp.openal.ALImpl.dispatch.alBuffer3f1(IIFFFJ)V
03. jogamp.openal.ALImpl.dispatch.alBufferfv1(IILjava/lang/Object;IZJ)V
04.
jogamp.openal.ALImpl.dispatch.alDeleteEffects1(ILjava/lang/Object;IZJ)V
05. jogamp.openal.ALImpl.dispatch.alEffectf1(IIFJ)V
06. jogamp.openal.ALImpl.dispatch.alEffectfv1(IILjava/lang/Object;IZJ)V
07. jogamp.openal.ALImpl.dispatch.alEffectiv1(IILjava/lang/Object;IZJ)V
08. jogamp.openal.ALImpl.dispatch.alEnable1(IJ)V
09. jogamp.openal.ALImpl.dispatch.alFilterfv1(IILjava/lang/Object;IZJ)V
10. jogamp.openal.ALImpl.dispatch.alFilteriv1(IILjava/lang/Object;IZJ)V
11.
jogamp.openal.ALImpl.dispatch.alGenAuxiliaryEffectSlots1(ILjava/lang/Object;IZJ)V
12. jogamp.openal.ALImpl.dispatch.alGenEffects1(ILjava/lang/Object;IZJ)V
13. jogamp.openal.ALImpl.dispatch.alGenFilters1(ILjava/lang/Object;IZJ)V
14. jogamp.openal.ALImpl.dispatch.alGenSources1(ILjava/lang/Object;IZJ)V
15.
jogamp.openal.ALImpl.dispatch.alGetAuxiliaryEffectSlotiv1(IILjava/lang/Object;IZJ)V
16.
jogamp.openal.ALImpl.dispatch.alGetBuffer3f1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
17.
jogamp.openal.ALImpl.dispatch.alGetBuffer3i1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
18.
jogamp.openal.ALImpl.dispatch.alGetBufferf1(IILjava/lang/Object;IZJ)V
19.
jogamp.openal.ALImpl.dispatch.alGetBufferiv1(IILjava/lang/Object;IZJ)V
20. jogamp.openal.ALImpl.dispatch.alGetDoublev1(ILjava/lang/Object;IZJ)V
21.
jogamp.openal.ALImpl.dispatch.alGetEffectf1(IILjava/lang/Object;IZJ)V
22.
jogamp.openal.ALImpl.dispatch.alGetEffectfv1(IILjava/lang/Object;IZJ)V
23.
jogamp.openal.ALImpl.dispatch.alGetEffectiv1(IILjava/lang/Object;IZJ)V
24. jogamp.openal.ALImpl.dispatch.alGetEnumValue1(Ljava/lang/String;J)I
25.
jogamp.openal.ALImpl.dispatch.alGetFilteri1(IILjava/lang/Object;IZJ)V
26.
jogamp.openal.ALImpl.dispatch.alGetFilteriv1(IILjava/lang/Object;IZJ)V
27. jogamp.openal.ALImpl.dispatch.alGetFloat1(IJ)F
28. jogamp.openal.ALImpl.dispatch.alGetFloatv1(ILjava/lang/Object;IZJ)V
29.
jogamp.openal.ALImpl.dispatch.alGetListener3f1(ILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
30.
jogamp.openal.ALImpl.dispatch.alGetListener3i1(ILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
31.
jogamp.openal.ALImpl.dispatch.alGetListenerf1(ILjava/lang/Object;IZJ)V
32.
jogamp.openal.ALImpl.dispatch.alGetListeneri1(ILjava/lang/Object;IZJ)V
33.
jogamp.openal.ALImpl.dispatch.alGetListeneriv1(ILjava/lang/Object;IZJ)V
34.
jogamp.openal.ALImpl.dispatch.alGetProcAddress1(Ljava/lang/String;J)J
35.
jogamp.openal.ALImpl.dispatch.alGetProcAddressStatic(Ljava/lang/String;J)J
36.
jogamp.openal.ALImpl.dispatch.alGetSource3f1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
37.
jogamp.openal.ALImpl.dispatch.alGetSource3i1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
38.
jogamp.openal.ALImpl.dispatch.alGetSourcef1(IILjava/lang/Object;IZJ)V
39.
jogamp.openal.ALImpl.dispatch.alGetSourcefv1(IILjava/lang/Object;IZJ)V
40.
jogamp.openal.ALImpl.dispatch.alGetSourcei1(IILjava/lang/Object;IZJ)V
41.
jogamp.openal.ALImpl.dispatch.alGetSourceiv1(IILjava/lang/Object;IZJ)V
42. jogamp.openal.ALImpl.dispatch.alGetString1(IJ)Ljava/lang/String;
43. jogamp.openal.ALImpl.dispatch.alIsAuxiliaryEffectSlot1(IJ)Z
44. jogamp.openal.ALImpl.dispatch.alIsBuffer1(IJ)Z
45. jogamp.openal.ALImpl.dispatch.alIsEffect1(IJ)Z
46.
jogamp.openal.ALImpl.dispatch.alIsExtensionPresent1(Ljava/lang/String;J)Z
47. jogamp.openal.ALImpl.dispatch.alIsFilter1(IJ)Z
48. jogamp.openal.ALImpl.dispatch.alListener3f1(IFFFJ)V
49. jogamp.openal.ALImpl.dispatch.alListener3i1(IIIIJ)V
50. jogamp.openal.ALImpl.dispatch.alListenerf1(IFJ)V
51. jogamp.openal.ALImpl.dispatch.alListenerfv1(ILjava/lang/Object;IZJ)V
52. jogamp.openal.ALImpl.dispatch.alListeneri1(IIJ)V
53. jogamp.openal.ALImpl.dispatch.alListeneriv1(ILjava/lang/Object;IZJ)V
54. jogamp.openal.ALImpl.dispatch.alSource3f1(IIFFFJ)V
55. jogamp.openal.ALImpl.dispatch.alSource3i1(IIIIIJ)V
56. jogamp.openal.ALImpl.dispatch.alSourcef1(IIFJ)V
57. jogamp.openal.ALImpl.dispatch.alSourcefv1(IILjava/lang/Object;IZJ)V
58. jogamp.openal.ALImpl.dispatch.alSourcei1(IIIJ)V
59. jogamp.openal.ALImpl.dispatch.alSourceiv1(IILjava/lang/Object;IZJ)V
60. jogamp.openal.ALImpl.dispatch.alSourcePause1(IJ)V
61.
jogamp.openal.ALImpl.dispatch.alSourcePausev1(ILjava/lang/Object;IZJ)V
62. jogamp.openal.ALImpl.dispatch.alSourcePlay1(IJ)V
63.
jogamp.openal.ALImpl.dispatch.alSourcePlayv1(ILjava/lang/Object;IZJ)V
64.
jogamp.openal.ALImpl.dispatch.alSourceQueueBuffers1(IILjava/lang/Object;IZJ)V
65.
jogamp.openal.ALImpl.dispatch.alSourceRewindv1(ILjava/lang/Object;IZJ)V
66. jogamp.openal.ALImpl.dispatch.alSourceStop1(IJ)V
67.
jogamp.openal.ALImpl.dispatch.alSourceStopv1(ILjava/lang/Object;IZJ)V
68.
jogamp.openal.ALImpl.dispatch.alSourceUnqueueBuffers1(IILjava/lang/Object;IZJ)V
69. jogamp.openal.ALImpl.dispatch.alSpeedOfSound1(FJ)V

Malformed methods parameters allow full control of EIP register,
which leads
to remote code execution.
Crash dumps are avaliable here:
http://www.fuzzmyapp.com/advisories/FMA-2012-038/FMA-2012-038-EN.xml.

3. Fix
JOGAMP released new version (2.0.2-rc12) fixing JOAL issues.
All previous signed JAR files have been removed.
Signed JAR files restricted to codebase '*.jogamp.org'.
Latest JOAL implementation does not depend on buggy OpenAL library.

4. Credit
FuzzMyApp Team
http://www.fuzzmyapp.com/

5. References
http://www.fuzzmyapp.com/advisories/FMA-2012-038/FMA-2012-038-EN.xml
http://forum.jogamp.org/Release-2-0-2-rc12-td4029471.html
http://labb.zafena.se/?p=799

- FuzzMyApp


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2015

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    2 Files
  • 2
    Feb 2nd
    17 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    16 Files
  • 5
    Feb 5th
    14 Files
  • 6
    Feb 6th
    4 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2015 Packet Storm. All rights reserved.

close