Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Sun JDK image parsing vulnerabilities
From: "Chris Evans" <scarybeasts () gmail com>
Date: Wed, 5 Mar 2008 18:04:32 -0800
Hi,

A couple more JPEG ICC parsing bugs were fixed in the latest JDK updates.

Full technical details:
http://scary.beasts.org/security/CESA-2007-005.html

The most interesting part is the faulty code:
  Limit = SpGetUInt32 (Buf);
...
  UInt16Ptr = (KpUInt16_t *)SpMalloc (Limit * (KpInt32_t)sizeof (*UInt16Ptr));
...
  for (Index = 0; Index < Limit; Index++)
    *UInt16Ptr++ = SpGetUInt16 (Buf);
...

And the image to trigger:
http://scary.beasts.org/misc/jdk/evilicc2.jpg

Normally, the heap overflow would just terminate the process as the
copy length is kind of wild. However, JDK installs a SEGV handler
which accesses a lot of (potentially trashed) memory in the process of
putting together a meaningful crash dump. It's quite likely that this
makes the condition exploitable as per a previous bug in this area:
http://scary.beasts.org/security/CESA-2006-004.html

Blog post for all of the above:
http://scarybeastsecurity.blogspot.com/2008/03/sun-jdk-image-parsing-vulnerabilities.html

Cheers
Chris

  By Date           By Thread  

Current thread:
  • Sun JDK image parsing vulnerabilities Chris Evans (Mar 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]