The technical details for this pair of vulnerabilities can be found here:
http://scary.beasts.org/security/CESA-2007-005.html
These vulnerabilities follow on from my original advisory in this area:
http://scary.beasts.org/security/CESA-2006-004.html
There are lots of interesting sub-stories here.
The first is that exploitation of the heap buffer overflows (in both the old and new advisories) relies on that fact that the JDK environment has a SEGV handler installed. These particular heap overflows will always try and perform massively long copies, therefore faulting as part of the copy. This would be a DoS only apart from the SEGV handler. As part of trying to dump out a good crash report, it can access trashed memory and become an exploitable condition.
The second is that this is a very dangerous class of attack. Most previous JDK attacks apply to running untrusted applets. These bugs, however, trigger also in server-side environments where JPEG parsing is performed. Direct, data-driven compromise of servers is quite unfortunate, especially in a runtime environment where memory corruptions can't usually occur.
No comments:
Post a Comment