Vulnerability Development mailing list archives

Re: Java and buffer overflows

From: Javier Blanque <jblanque () anice net ar>
Date: Wed, 26 Jun 2002 14:17:57 -0300

It is possible that JVM protects against the majority of buffer overflows,

but it is not entirely protected against DOS attacks, see the nonsenseJava source below. If you run one copy of it, the cpu goes to 100% and deram usage goes to 10-50 % depending o configuration of JVM, available RAMand virtual per process memory (see your process viewer or the top utilitywhen running the test). Running multiple copies may clog a system.Downloading applets and java applications (i.e. with web start) may havean impact on security.

Regards...
Javier Blanqué

class test
{
    public static void main(String args[])
       {
                for (int i = 0; i < 1; i--) {
                                String[] test = nstring(args);
                }
       }

    public static String[] nstring(String args[])
       {
             return (new String[15000000]) ;
       }
}


El Tuesday, 25 June, 2002, a las 12:40 , KF escribió:"

Not sure if this helps .... I was trying to come up with a scenario thatpassed user input to a buffer but the compiler kept barking at me so thisis the best I can do.
[root@qa5 root]# cat test.java
class test
{
       public static void main(String args[])
       {

               String[] test = new String[4];
               test[0] = "A";
               test[1] = "A";
               test[2] = "A";
               test[3] = "A";
               test[4] = "A";
               test[5] = "A";
               test[6] = "A";
       }
}


[root@rcmqa5 root]# javac test.java
[root@rcmqa5 root]# java test
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 4
       at test.main(test.java:11)

-KF


Felix Harris wrote:
I was wondering if code written in JAVA(or .NET) is vulnerable tobuffer overflows.
If yes,what are the differences in the proccess of exploiting?
Any online source?
well afaik one of the main reasons for creating Java was to make it asafe language, as there is no complications between pointers and buffers.Buffers are also lengthchecked, and pointers dont really have therequired scope to be exploited. If there was an exploit for a javaprogram, it would probably exist as a bug in the virtual machine, or ina call to a c/c++ program/library. IIRC, there was something about zlibbeing exploitable?
--
Felix Harris
felix () cannabis net
I say goodbye and raindrops taste like tears
In the pouring rain I stand and die alone

Current thread:

Java and buffer overflows cyber_rider (Jun 23)
- Re: Java and buffer overflows Felix Harris (Jun 25)
  - Re: Java and buffer overflows KF (Jun 26)
    - Re: Java and buffer overflows Javier Blanque (Jun 26)
    - Re: Java and buffer overflows ash (Jun 26)
    - Re: Java and buffer overflows Anibal Ambertin (Jun 27)
- Re: Java and buffer overflows Rafael Anschau (Jun 25)
  - Re: Java and buffer overflows Branko Ivanovic (Jun 26)
  - Re: Java and buffer overflows Nelson Sampaio Araujo Junior (Jun 26)
    - Re: Java and buffer overflows Rafael Anschau (Jun 26)
    - Re: Java and buffer overflows Dave Aitel (Jun 26)
    - Re: Java and buffer overflows KF (Jun 27)
    - Re: Java and buffer overflows Dave Aitel (Jun 27)
    - RE: Java and buffer overflows Zacharias Pigadas (Jun 28)

(Thread continues...)