JOAL OpenAL32.dll文件安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1162085 漏洞类型 Unknown
发布时间 2013-08-21 更新时间 2013-08-21
CVE编号 CVE-2013-4099 CNNVD-ID CNNVD-201406-300
漏洞平台 N/A CVSS评分 10.0
|漏洞来源
https://www.securityfocus.com/bid/61950
https://cxsecurity.com/issue/WLB-2013080184
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201406-300
|漏洞详情
JOGAMP是JogAmp社区的一个Java3D图形、多媒体和处理库,它包含了JOAL、JOGL和JOCL等模块。JOAL是其中的一个通过Java语言绑定OpenALAPI(开源的跨平台音效API)的参考实现,并为游戏提供基于Java编写的硬件支持的3D专业音效。JOGAMP使用的JOAL2.0-rc11版本中的OpenAL32.dll文件存在安全漏洞,该漏洞源于jogamp.openal.ALImpl.dispatch文件中的多个方法没有正确过滤参数。攻击者可借助特制的参数利用该漏洞执行任意代码。方法包括:(1)alAuxiliaryEffectSlotf1,(2)alBuffer3f1,(3)alBufferfv1,(4)alDeleteEffects1,(5)alEffectf1,(6)alEffectfv1,(7)alEffectiv1,(8)alEnable1,(9)alFilterfv1,(10)alFilteriv1,(11)alGenAuxiliaryEffectSlots1,(12)alGenEffects1,(13)alGenFilters1,(14)alGenSources1,(15)alGetAuxiliaryEffectSlotiv1,(16)alGetBuffer3f1,(17)alGetBuffer3i1,(18)alGetBufferf1,(19)alGetBufferiv1,(20)alGetDoublev1,(21)alGetEffectf1,(22)alGetEffectfv1,(23)alGetEffectiv1,(24)alGetEnumValue1,(25)alGetFilteri1,(26)alGetFilteriv1,(27)alGetFloat1,(28)alGetFloatv1,(29)alGetListener3f1,(30)alGetListener3i1,(31)alGetListenerf1,(32)alGetListeneri1,(33)alGetListeneriv1,(34)alGetProcAddress1,(35)alGetProcAddressStatic,(36)alGetSource3f1,(37)alGetSource3i1,(38)alGetSourcef!1,(39)alGetSour
|漏洞EXP

0. Introduction

    Vendor description:
    The JOAL Project hosts a reference implementation of the Java
bindings for OpenAL API,
    and is designed to provide hardware-supported 3D specialized audio
for games written in Java.

1. Affected software
    JOAL 2.0-rc11

2. Vulnerability
    FuzzMyApp team have identified several bugs in OpenAL32.dll, which
can lead to code execution.
    OpenAL32.dll is distributed in signed jar files. It allows to create
malicious applet.
    If user had not used any of JogAmp's libraries before, one needs to
accept installation.
    If user has a Sven Gothel certificate among Java trusted
certificates (i.e. used JogAmp before),
    no interaction is needed.

    Vulnerable methods:
    01. jogamp.openal.ALImpl.dispatch.alAuxiliaryEffectSlotf1(IIFJ)V
    02. jogamp.openal.ALImpl.dispatch.alBuffer3f1(IIFFFJ)V
    03. jogamp.openal.ALImpl.dispatch.alBufferfv1(IILjava/lang/Object;IZJ)V
    04.
jogamp.openal.ALImpl.dispatch.alDeleteEffects1(ILjava/lang/Object;IZJ)V
    05. jogamp.openal.ALImpl.dispatch.alEffectf1(IIFJ)V
    06. jogamp.openal.ALImpl.dispatch.alEffectfv1(IILjava/lang/Object;IZJ)V
    07. jogamp.openal.ALImpl.dispatch.alEffectiv1(IILjava/lang/Object;IZJ)V
    08. jogamp.openal.ALImpl.dispatch.alEnable1(IJ)V
    09. jogamp.openal.ALImpl.dispatch.alFilterfv1(IILjava/lang/Object;IZJ)V
    10. jogamp.openal.ALImpl.dispatch.alFilteriv1(IILjava/lang/Object;IZJ)V
    11. jogamp.openal.ALImpl.dispatch.alGenAuxiliaryEffectSlots1(ILjava/lang/Object;IZJ)V
    12. jogamp.openal.ALImpl.dispatch.alGenEffects1(ILjava/lang/Object;IZJ)V
    13. jogamp.openal.ALImpl.dispatch.alGenFilters1(ILjava/lang/Object;IZJ)V
    14. jogamp.openal.ALImpl.dispatch.alGenSources1(ILjava/lang/Object;IZJ)V
    15. jogamp.openal.ALImpl.dispatch.alGetAuxiliaryEffectSlotiv1(IILjava/lang/Object;IZJ)V
    16. jogamp.openal.ALImpl.dispatch.alGetBuffer3f1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
    17. jogamp.openal.ALImpl.dispatch.alGetBuffer3i1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
    18. jogamp.openal.ALImpl.dispatch.alGetBufferf1(IILjava/lang/Object;IZJ)V
    19. jogamp.openal.ALImpl.dispatch.alGetBufferiv1(IILjava/lang/Object;IZJ)V
    20. jogamp.openal.ALImpl.dispatch.alGetDoublev1(ILjava/lang/Object;IZJ)V
    21. jogamp.openal.ALImpl.dispatch.alGetEffectf1(IILjava/lang/Object;IZJ)V
    22. jogamp.openal.ALImpl.dispatch.alGetEffectfv1(IILjava/lang/Object;IZJ)V
    23. jogamp.openal.ALImpl.dispatch.alGetEffectiv1(IILjava/lang/Object;IZJ)V
    24. jogamp.openal.ALImpl.dispatch.alGetEnumValue1(Ljava/lang/String;J)I
    25.
jogamp.openal.ALImpl.dispatch.alGetFilteri1(IILjava/lang/Object;IZJ)V
    26.
jogamp.openal.ALImpl.dispatch.alGetFilteriv1(IILjava/lang/Object;IZJ)V
    27. jogamp.openal.ALImpl.dispatch.alGetFloat1(IJ)F
    28. jogamp.openal.ALImpl.dispatch.alGetFloatv1(ILjava/lang/Object;IZJ)V
    29.
jogamp.openal.ALImpl.dispatch.alGetListener3f1(ILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
    30.
jogamp.openal.ALImpl.dispatch.alGetListener3i1(ILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
    31.
jogamp.openal.ALImpl.dispatch.alGetListenerf1(ILjava/lang/Object;IZJ)V
    32.
jogamp.openal.ALImpl.dispatch.alGetListeneri1(ILjava/lang/Object;IZJ)V
    33.
jogamp.openal.ALImpl.dispatch.alGetListeneriv1(ILjava/lang/Object;IZJ)V
    34.
jogamp.openal.ALImpl.dispatch.alGetProcAddress1(Ljava/lang/String;J)J
    35.
jogamp.openal.ALImpl.dispatch.alGetProcAddressStatic(Ljava/lang/String;J)J
    36.
jogamp.openal.ALImpl.dispatch.alGetSource3f1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
    37.
jogamp.openal.ALImpl.dispatch.alGetSource3i1(IILjava/lang/Object;IZLjava/lang/Object;IZLjava/lang/Object;IZJ)V
    38.
jogamp.openal.ALImpl.dispatch.alGetSourcef1(IILjava/lang/Object;IZJ)V
    39.
jogamp.openal.ALImpl.dispatch.alGetSourcefv1(IILjava/lang/Object;IZJ)V
    40.
jogamp.openal.ALImpl.dispatch.alGetSourcei1(IILjava/lang/Object;IZJ)V
    41.
jogamp.openal.ALImpl.dispatch.alGetSourceiv1(IILjava/lang/Object;IZJ)V
    42. jogamp.openal.ALImpl.dispatch.alGetString1(IJ)Ljava/lang/String;
    43. jogamp.openal.ALImpl.dispatch.alIsAuxiliaryEffectSlot1(IJ)Z
    44. jogamp.openal.ALImpl.dispatch.alIsBuffer1(IJ)Z
    45. jogamp.openal.ALImpl.dispatch.alIsEffect1(IJ)Z
    46.
jogamp.openal.ALImpl.dispatch.alIsExtensionPresent1(Ljava/lang/String;J)Z
    47. jogamp.openal.ALImpl.dispatch.alIsFilter1(IJ)Z
    48. jogamp.openal.ALImpl.dispatch.alListener3f1(IFFFJ)V
    49. jogamp.openal.ALImpl.dispatch.alListener3i1(IIIIJ)V
    50. jogamp.openal.ALImpl.dispatch.alListenerf1(IFJ)V
    51. jogamp.openal.ALImpl.dispatch.alListenerfv1(ILjava/lang/Object;IZJ)V
    52. jogamp.openal.ALImpl.dispatch.alListeneri1(IIJ)V
    53. jogamp.openal.ALImpl.dispatch.alListeneriv1(ILjava/lang/Object;IZJ)V
    54. jogamp.openal.ALImpl.dispatch.alSource3f1(IIFFFJ)V
    55. jogamp.openal.ALImpl.dispatch.alSource3i1(IIIIIJ)V
    56. jogamp.openal.ALImpl.dispatch.alSourcef1(IIFJ)V
    57. jogamp.openal.ALImpl.dispatch.alSourcefv1(IILjava/lang/Object;IZJ)V
    58. jogamp.openal.ALImpl.dispatch.alSourcei1(IIIJ)V
    59. jogamp.openal.ALImpl.dispatch.alSourceiv1(IILjava/lang/Object;IZJ)V
    60. jogamp.openal.ALImpl.dispatch.alSourcePause1(IJ)V
    61.
jogamp.openal.ALImpl.dispatch.alSourcePausev1(ILjava/lang/Object;IZJ)V
    62. jogamp.openal.ALImpl.dispatch.alSourcePlay1(IJ)V
    63.
jogamp.openal.ALImpl.dispatch.alSourcePlayv1(ILjava/lang/Object;IZJ)V
    64.
jogamp.openal.ALImpl.dispatch.alSourceQueueBuffers1(IILjava/lang/Object;IZJ)V
    65.
jogamp.openal.ALImpl.dispatch.alSourceRewindv1(ILjava/lang/Object;IZJ)V
    66. jogamp.openal.ALImpl.dispatch.alSourceStop1(IJ)V
    67.
jogamp.openal.ALImpl.dispatch.alSourceStopv1(ILjava/lang/Object;IZJ)V
    68.
jogamp.openal.ALImpl.dispatch.alSourceUnqueueBuffers1(IILjava/lang/Object;IZJ)V
    69. jogamp.openal.ALImpl.dispatch.alSpeedOfSound1(FJ)V

    Malformed methods parameters allow full control of EIP register,
which leads
    to remote code execution.
    Crash dumps are avaliable here:
http://www.fuzzmyapp.com/advisories/FMA-2012-038/FMA-2012-038-EN.xml.    

3. Fix
    JOGAMP released new version (2.0.2-rc12) fixing JOAL issues.
    All previous signed JAR files have been removed.
    Signed JAR files restricted to codebase '*.jogamp.org'.
    Latest JOAL implementation does not depend on buggy OpenAL library.

4. Credit
    FuzzMyApp Team
    http://www.fuzzmyapp.com/
    
5. References
    http://www.fuzzmyapp.com/advisories/FMA-2012-038/FMA-2012-038-EN.xml
    http://forum.jogamp.org/Release-2-0-2-rc12-td4029471.html
    http://labb.zafena.se/?p=799
   
- FuzzMyApp
|受影响的产品
Jogamp JOAL 2.0-rc11
|参考资料

来源:labb.zafena.se
链接:http://labb.zafena.se/?p=799
来源:OSVDB
链接:http://osvdb.org/96582
来源:www.fuzzmyapp.com
链接:http://www.fuzzmyapp.com/advisories/FMA-2012-038/FMA-2012-038-EN.xml
来源:BID
链接:http://www.securityfocus.com/bid/61950