Exploit:Java/CVE-2009-3869.M

Exploit:Java/CVE-2009-3869.M is a Java applet (file size: 2593 bytes) that attempts to execute a buffer overflow exploit that may allow the execution of an arbitrary code with escalated privileges. The applet exploits a buffer overflow which existed in processing malformed images or audio files and affects Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17.

Exploit:Java/CVE-2009-3869.M may be encountered when visiting a malicious Web page. If the applet is opened within a vulnerable computer, it may allow execution of arbitrary code with escalated privileges.

Executes arbitrary code

The applet exploits a buffer overflow which existed in processing malformed images or audio files and affects Sun Java SE in JDK and JRE 5.0 before Update 22 and JDK and JRE 6 before Update 17. The applet exports Java class "vmain" with several member functions named "HB", "HexDecode", "mspray" and "paint". The member function "mspray" crafts an image in memory which is than passed to the "paint" function.

 

The "paint" function then calls "drawImage" from the standard AWT Java library causing a buffer overflow and potentially executing code from the memory allocated by the "mspray" function.

It is not uncommon for antivirus software to detect malicious Java applets in a Web browser's cache. It doesn’t necessarily mean that the system is compromised. Most of the time it reflects the fact that at some stage a Web page with a malicious applet had been visited and cached internally. To thwart such a notification it is often enough to purge the cache using a Web browser's configurable security options.

 

See the following link for more information about the vulnerability described in CVE-2009-3869:

• CVE-2009-3869

 

Analysis by Oleg Petrovsky & Chris Stubbs