Java Deployment Toolkit Insufficient Validation of Parameters Vulnerability Patch Analysis

I spent some time to figure out what Oracle did to fix the @taviso’s 0-day. I digged into javasw.exe and java.exe and javaw.exe for the patched parts in vain. The binaries are all identical except the version numbers. And finally I got that they were in the deploytk and deployJava1 files. They changed the file name of COM control for the CLSID “{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}”. Originally it was deploytk and it became deployJava1. That’s why I didn’t try to diff them at first.

So here’s what I got after I crack diffed two files.

You see, the left side is the unpatched function and right side is patched one. Unpatched one has whole a lot of red and yellow blocks. Red block means it has no match in the other side. Yellow block means the block has been changed. In short, the whole function’s basic blocks have been changed or removed. The function is responsible for querying registry key for JNLPFile Shell Open key and launching it using CreateProcessA API. And they removed it to fix @taviso’s 0-day. Simple! No further analysis needed. But I’m not so sure how this will impact their normal deploy process.

Anyway that’s it for now and thanks for reading.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: