##############################################################################
#
#  Java Web Start JNLP Command Line Argument Injection Vulnerability (Windows)
#
#  Copyright: OS2A and it's member companies
#
#  Date Written: 2005/12/26
#
#  $Revision: 1.2 $
#
#  $Log: os2a_javawebstart_jnlp_injection_win_600792.nasl,v $
#  Revision 1.2  2007/01/29 11:45:03  ajagadeesh
#  --Changed Risk factor
#
#  Revision 1.1  2005/12/29 11:56:38  bchandra
#  Issue #1358 To production
#
#  Revision 1.2  2005/12/26 13:20:03  nrnandini
#   - Removed extra spaces
#  issue #1358
#
#  Revision 1.1  2005/12/26 11:03:03  ksjayesh
#  ssue #1358
#
#
#
#  ------------------------------------------------------------------------
#  This program was written by OS2A and/or it's member companies and is
#  licensed under the GNU GPL license. Please see below for details. This
#  header contains information regarding licensing terms under the GPL, and
#  information regarding obtaining source code from the Author. Consequently,
#  pursuant to section 3(c) of the GPL, you must accompany the information
#  found in this header with any distribution you make of this Program.
#  ------------------------------------------------------------------------
##############################################################################


if(description)
{
 script_id(600792);
 script_bugtraq_id(12847);
 script_cve_id("CVE-2005-0836");
 script_copyright(english:"Copyright (C) 2005 OS2A");
 script_version("$Revision: 1.2 $");
 script_category(ACT_GATHER_INFO);
 script_family(english:"Misc.");
 name["english"] = "Java Web Start JNLP Command Line Argument Injection Vulnerability (Windows)";
 script_name(english:name["english"]);
 summary["english"] = "Check for vulnerable version of Java JRE";
 script_summary(english:summary["english"]);
 desc["english"] = "

 Overview :
 An argument injection vulnerability in Java Web Start could allow an untrusted
 application to elevate its privileges and execute arbitrary code.

 This is caused due to an input validation error when handling property tags in
 JNLP files. This can be exploited to pass arbitrary command line arguments to
 the virtual machine by tricking a user into opening a malicious JNLP file.

 More information can be found at the following location,
 http://sunsolve.sun.com/search/document.do?assetkey=1-26-57740-1

 Impact :
 An attacker could exploit this issue to gain unauthorized read and write
 access to affected computers. Unauthorized access granted in this way will be
 with the privileges of the unsuspecting user that visits a malicious website.
 Successful exploitation can lead to the Java sandbox being disabled.

 Scope of impact is limited to system level.

 Affected Software :
 Java Web Start in the following J2SE releases: 1.4.2_06 and earlier 1.4.2

 Affected Platform :  Any system running the affected Software.

 Solution :
 Update to the fixed version: J2SE release 1.4.2_07 or later
 http://java.sun.com/j2se/1.4.2/download.html
 
 Workaround :
 1. Disable Java Web Start applications from being launched from a web browser
    as follows:

 For Internet Explorer:
   1. Right click on the -Start- button and select -Explore-
   2. In the -Start Menu- window, select -Tools- => -Folder Options-
   3. From the -Folder Options- window, select the -File Types- tab
   4. From the -Registered File Types- window, scroll down and locate
      the -JNLP - JNLP File-
   5. Select the -JNLP - JNLP File- and click the -Delete- button 

 For Mozilla:
   1. Select -Preferences- under the browser's -Edit- menu
   2. In the -Preferences- window, select -Helper Applications- located
      under the -Navigator- category
   3. Under -Files types-, scroll down and locate -application/x-java-jnlp-file-
   4. Select -application/x-java-jnlp-file- and click the -Remove- button 

 2. Rename the Java Web Start launcher -javaws- to prevent Java Web Start from
    launching through command line.

 The launcher can be found at $PROGRAMS_DIR\java\j2re1.4.2\javaws\javaws.exe

 References :
 http://marc.theaimsgroup.com/?l=full-disclosure&m=111117284323657&w=2
 http://secunia.com/advisories/14640

 CVSS Score :
	CVSS Base Score     : 8.0 (AV:R/AC:H/Au:NR/C:C/I:C/A:C/B:N)
 	CVSS Temporal Score : 6.3
 Risk factor : High";
	
 script_description(english:desc["english"]);
 script_dependencies("os2a_java_jre_win_detect_600776.nasl",
                     "smb_hotfixes.nasl");
 script_require_keys("Java/WebStart/Windows/Version",
                     "SMB/WindowsVersion");
 script_require_ports(139, 445);
 
 exit(0);
}


platcheck = get_kb_item("SMB/WindowsVersion");

if(!platcheck){
        exit(0);
}

javaWS = get_kb_item("Java/WebStart/Windows/Version");

if( ereg(pattern:"^1\.4\.2($|_0[0-6]$)", string:javaWS) ) {
        security_hole(0);
}