Vulnerability Development mailing list archives
Re: Java and buffer overflows
From: Dave Aitel <dave () immunitysec com>
Date: 27 Jun 2002 11:34:21 -0400
Well, here's what I'm saying: The server was written in Java. You send a long string in the right place, it crashes. The stack is like a billion calls long, but at the end of it, you get to see 0x4141414141. :> My assumption was a native code interface, but I could have been wrong. :> I didn't bother to write it up because it got taken to the vendor immediately and fixed. Course, if I'd gone public everyone would have whined at me for not knowing every single little thing about the bug, which they were getting owned by already. Frankly, half the time going to the vendor isn't worth the effort. Sometimes, like Mandrake, they just ignore you anyways. -dave On Wed, 2002-06-26 at 23:17, KF wrote:
So what you are saying is that you found a buffer overflow in some code that uses JNI? As in there was some c based code that the java invoked? I am currious to see how this works. -KF Dave Aitel wrote:Although, as another poster said, native code invocation is going to continue to be a problem for managed languages such as Java and C# in the years to come. I've found a buffer overflow in native code invoked by a major application server that happened to be written in Java. It's fixed now, btw. :> -dave
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Java and buffer overflows, (continued)
- Re: Java and buffer overflows KF (Jun 26)
- Re: Java and buffer overflows Javier Blanque (Jun 26)
- Re: Java and buffer overflows ash (Jun 26)
- Re: Java and buffer overflows Anibal Ambertin (Jun 27)
- Re: Java and buffer overflows KF (Jun 26)
- Re: Java and buffer overflows Rafael Anschau (Jun 25)
- Re: Java and buffer overflows Branko Ivanovic (Jun 26)
- Re: Java and buffer overflows Nelson Sampaio Araujo Junior (Jun 26)
- Re: Java and buffer overflows Rafael Anschau (Jun 26)
- Re: Java and buffer overflows Dave Aitel (Jun 26)
- Re: Java and buffer overflows KF (Jun 27)
- Re: Java and buffer overflows Dave Aitel (Jun 27)
- RE: Java and buffer overflows Zacharias Pigadas (Jun 28)
- JNI and buffer overflows (was java and buffer overflows) KF (Jun 28)
- Re: JNI and buffer overflows (was java and buffer overflows) KF (Jun 28)
- Re: JNI and buffer overflows (was java and buffer overflows) KF (Jun 28)
- Re: Java and buffer overflows Loki (Jun 26)