Java Runtime Environment Soundbank Resource Name Stack Buffer Overflow
Added: 04/22/2010CVE: CVE-2010-0839
BID: 39070
OSVDB: 63494
Background
The Java Runtime Environment (JRE) is part of the Java Development Kit (JDK), a set of programming tools for developing Java applications. The JRE Java programming class library contains the Java Sound Application Interface (API) to provide low-level support for audio operations. The Java Sound API includes the Soundbank interface which contains a set of instruments and SoundbankResources that can be loaded from any arbitrary stream, including file and network streams.Problem
JRE is vulnerable to a stack buffer overflow due to a sign extension error when parsing the length of a resource name in a Soundbank file. A remote unauthenticated attacker can exploit this vulnerability by enticing a user to open a malicious Java applet with a vulnerable application.Resolution
Apply the patch for the vulnerable product.References
http://secunia.com/advisories/37255/Limitations
Exploit works on Java SE 6 Update 18 and requires the user to load the exploit page in Internet Explorer 6.Platforms
WindowsBack to exploit index