About a month and a half ago, information about an 0-day vulnerability in the Apple QuickTime plugin was published. It reminded of a project I had planned to implement for a while (since 2004 to be precise): a fuzzer that extracted information about COM objects installed on a system from the registry and scanned the binaries associated with each COM object for strings. The fuzzer would use the collected information to try to instantiate objects and attempt to fuzz it using the strings as properties, methods and “magic” argument values. As soon as I had hacked something together, it found a simple buffer overflow in Oracle Java 6 Update 21.
The buffer overflow allows easy control over EIP and creating a working exploit for targets without DEP is as easy as copy+pasting a heap spray into the repro file.
I reported the issue to Oracle, who were already aware of the issue because it had also been reported to them by Stephen Fewer of Harmony Security through ZDI. Oracle has release a patch for this issue, which is available here.
More details can be found here.
Leave a Comment