Vulnerability Development mailing list archives

Re: Java and buffer overflows

From: Joe Testa <jtesta () rapid7 com>
Date: Wed, 26 Jun 2002 12:34:09 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

By Java's design, code execution is not possible by overflowing a
buffer.    However, the program probably doesn't catch
IndexOutOfBoundExceptions, so it will most likely result in a denial
of service.

I audited many Java HTTP and FTP servers in the past (in the span
of two weeks time--hey, I was on a roll...), and a lot of them
were affected by directory traversal vulnerabilities, which have
nothing to do with buffer overflows.

Hope this helps.

   - Joe Testa


GPG key:  http://www.cs.rit.edu/~jst3290/joetesta_r7.pub
A22B 2683 C40E 5443 AE52  AD6D 65B2 F5DF 4B11 06B4

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9GeyyZbL130sRBrQRAn9EAJ9aE4TGDYpYLC2PPptF7rdeA4eNpgCfQ3aL
Eo9OfN6vyHbXm3jd+LM7M0g=
=LW54
-----END PGP SIGNATURE-----

Current thread:

Re: Java and buffer overflows, (continued)
- - - Re: Java and buffer overflows Dave Aitel (Jun 26)
    - Re: Java and buffer overflows KF (Jun 27)
    - Re: Java and buffer overflows Dave Aitel (Jun 27)
    - RE: Java and buffer overflows Zacharias Pigadas (Jun 28)
    - JNI and buffer overflows (was java and buffer overflows) KF (Jun 28)
    - Re: JNI and buffer overflows (was java and buffer overflows) KF (Jun 28)
    - Re: JNI and buffer overflows (was java and buffer overflows) KF (Jun 28)
  - Re: Java and buffer overflows Rafael Anschau (Jun 26)
    - Re: Java and buffer overflows Loki (Jun 26)
  - Re: Java and buffer overflows Edsel Adap (Jun 26)
- Re: Java and buffer overflows Joe Testa (Jun 26)