Vulnerability Development mailing list archives
Re: JNI and buffer overflows (was java and buffer overflows)
From: KF <dotslash () snosoft com>
Date: Thu, 27 Jun 2002 05:08:19 -0400
Btw this ended up causing a Kernel "oops" about 2 minutes later I went to telnet back in and the box was dead...
[root@localhost root]# telnet 10.102.31.45 Trying 10.102.31.45... telnet: connect to address 10.102.31.45: No route to hostI go to the box and got a big nasty Kernel oops dump on the screen. The oops was from kswapd.
-KF KF wrote:
Here is how the JNI overflow situation plays out... I took an 5 minutes or so today to learn how to use JNI and here is what I came up with.Make a jni interface... [root@rcmqa5 JNI]# cat HelloWorld.java class HelloWorld { public static void main(String args[]) { HelloWorld hello = new HelloWorld(); hello.displayMessage(); } public native void displayMessage(); static { System.loadLibrary("HelloWorldImp"); } } compile it [root@rcmqa5 JNI]# javac HelloWorld.java get the jni headers from it [root@rcmqa5 JNI]# javah -jni HelloWorld [root@rcmqa5 JNI]# cat HelloWorld.h /* DO NOT EDIT THIS FILE - it is machine generated */ #include <jni.h> /* Header for class HelloWorld */ #ifndef _Included_HelloWorld #define _Included_HelloWorld #ifdef __cplusplus extern "C" { #endif /* * Class: HelloWorld * Method: displayMessage * Signature: ()V */ JNIEXPORT void JNICALL Java_HelloWorld_displayMessage (JNIEnv *, jobject); #ifdef __cplusplus } #endif #endif Make a .c file with the methods to run when the JNI call is made [root@rcmqa5 JNI]# cat HelloWorld.c #include <stdio.h> #include <stdlib.h> #include "HelloWorld.h" // this header file was generated by javahJNIEXPORT void JNICALL Java_HelloWorld_displayMessage(JNIEnv *env, jobject obj){ char fixed[20]; char *test = getenv("TEST"); sprintf(fixed, "%s", test); printf("%s\n", fixed); } Compile this .c file as a shared object.[root@rcmqa5 JNI]# cc -o libHelloWorldImp.so -shared HelloWorld.c -I/usr/dlc/java/jdk130/include/Now we have a .class and a .so ... we should be ready to roll [root@rcmqa5 JNI]# ls -al total 32 drwxr-xr-x 2 root root 4096 Jun 27 16:36 . drwxrwxrwt 6 root root 4096 Jun 27 16:36 .. -rw-r--r-- 1 root root 203 Jun 27 16:31 HelloWorld.c -rw-r--r-- 1 root root 473 Jun 27 16:35 HelloWorld.class -rw-r--r-- 1 root root 395 Jun 27 16:31 HelloWorld.h -rw-r--r-- 1 root root 235 Jun 27 16:30 HelloWorld.java-rwxr-xr-x 1 root root 5415 Jun 27 16:36 libHelloWorldImp.so[root@rcmqa5 JNI]# export TEST=`perl -e 'print "A" x 50'` [root@rcmqa5 JNI]# java HelloWorld AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA SIGSEGV 11 (*) segmentation violation si_signo [11]: SIGSEGV: (*) segmentation violation si_errno [0]: Success si_code [1]: SEGV_MAPERR [addr: 0x33] stackpointer=0xbffc1ae4 Writing java dump to javacore14629.1025210621.txt ... At this point the session totally hung... (telnet) the javacore14629.blah.txt was never written to...-rw-r--r-- 1 root root 0 Jun 27 16:43 javacore14629.1025210621.txtoddly enough I tryed a HUGE value ... and got totally different results. [root@rcmqa5 JNI]# export TEST=`perl -e 'print "A" x 5000'` [root@rcmqa5 JNI]# java HelloWorld AAAAAAAAAAAAAAAAAAAAA....... (process hung) login on different terminal... type ps -efroot 14863 2877 0 16:50 ? 00:00:00 /usr/dlc/java/jdk130/jre/bin/exe root 14864 2877 0 16:50 ? 00:00:00 /usr/dlc/java/jdk130/jre/bin/exe root 14865 14786 99 16:50 pts/3 00:00:03 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA root 14874 14865 0 16:50 pts/3 00:00:00 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA root 14875 14874 0 16:50 pts/3 00:00:00 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA root 14876 14874 0 16:50 pts/3 00:00:00 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA root 14877 14874 0 16:50 pts/3 00:00:00 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[root@rcmqa5 JNI]# gdb blah 14865 GNU gdb Red Hat Linux 7.x (5.0rh-15) (MI_OUT) Copyright 2001 Free Software Foundation, Inc.GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions.Type "show copying" to see the conditions.There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"...blah: No such file or directory./tmp/JNI/14865: No such file or directory. Attaching to process 14865 0x40266aae in ?? () (gdb) bt #0 0x40266aae in ?? () #1 0x4030379d in ?? () #2 0x4030378a in ?? () #3 0x40303a76 in ?? () #4 0x40033517 in ?? () #5 <signal handler called> #6 0x40307d03 in ?? () #7 0x40299bbb in ?? () #8 0x40266abf in ?? () #9 0x4030379d in ?? () #10 0x4030378a in ?? () #11 0x40303a76 in ?? () #12 0x40033517 in ?? () #13 <signal handler called> #14 0x40307d03 in ?? () #15 0x40299bbb in ?? () #16 0x40266abf in ?? () #17 0x4030379d in ?? () #18 0x4030378a in ?? () #19 0x40303a76 in ?? () #20 0x40033517 in ?? () #21 <signal handler called> -KF KF wrote:So what you are saying is that you found a buffer overflow in some code that uses JNI? As in there was some c based code that the java invoked? I am currious to see how this works.-KF Dave Aitel wrote:Although, as another poster said, native code invocation is going to continue to be a problem for managed languages such as Java and C# in the years to come. I've found a buffer overflow in native code invoked by a major application server that happened to be written in Java. It's fixed now, btw. :> -dave
Current thread:
- Re: Java and buffer overflows, (continued)
- Re: Java and buffer overflows Anibal Ambertin (Jun 27)
- Re: Java and buffer overflows Rafael Anschau (Jun 25)
- Re: Java and buffer overflows Branko Ivanovic (Jun 26)
- Re: Java and buffer overflows Nelson Sampaio Araujo Junior (Jun 26)
- Re: Java and buffer overflows Rafael Anschau (Jun 26)
- Re: Java and buffer overflows Dave Aitel (Jun 26)
- Re: Java and buffer overflows KF (Jun 27)
- Re: Java and buffer overflows Dave Aitel (Jun 27)
- RE: Java and buffer overflows Zacharias Pigadas (Jun 28)
- JNI and buffer overflows (was java and buffer overflows) KF (Jun 28)
- Re: JNI and buffer overflows (was java and buffer overflows) KF (Jun 28)
- Re: JNI and buffer overflows (was java and buffer overflows) KF (Jun 28)
- Re: Java and buffer overflows Loki (Jun 26)