14 DAY TRIAL // Security researchers from ACROS Security have identified a binary planting vulnerability in the Java Runtime Environment (JRE) which allows the execution of arbitrary files.
Binary planting vulnerabilities stem from the way programs search for files they need to load when no absolute path is given.
In such cases, applications make use of a predefined search path that starts with the current working directory. This is the directory from where the original action was initiated.
For example in the case of a movie player, the working directory is the directory from where the video file was opened. Furthermore, the current working directory can be a network share or even a remote WebDAV resource.
Unfortunately, many programs attempt to open non-existent files as part of their multi-platform compatibility routines.
This means that an attacker can place a file named as one of those in the current working directory and trick the program into executing it.
In the case of Java, the working directory is the directory from where an applet is opened. However, the vulnerability stems from a configuration file called .hotspotrc which the program opens from the working directory.
This file can be used to define several settings for the Java environment including one called OnOutOfMemoryError="file.exe" that sets what program is ran if the operation runs out of memory.
Sn attacker can create a directory containing an html file that loads an applet designed to consume all available memory, a .hotspotrc file set to load a malicious executable and the executable itself.
This directory can be placed on a network share or remote WebDAV resource and the victim can be tricked into opening the html file in a browser.
However, an important limitation to this attack is that the browser needs to be closed when the file is opened for the working directory to be set correctly. A browser with opened tabs already has the working directory set to something else.
Fixing the bug is not very easy because it involves removing a feature that might be used by many applications or limiting it to non-browser use which might not address all attack vectors.