首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Oracle Java lookUpByteBI - Heap Buffer Overflow Vulnerability
来源:vfocus.net 作者:GuHe 发布时间:2013-09-10  
# Exploit Title: Oracle Java lookupByteBI function heap buffer overflow
# Google Dork:
# Date: 2013-09-03
# Exploit Author: GuHe
# Vendor Homepage: http://www.oracle.com/
# Software Link:
http://www.oracle.com/technetwork/java/javase/downloads/index.html
# Version: 7u21 and eariler
# Tested on: Windows 7
# CVE : CVE-2013-2470
   
   
CVE-2013-2470 - Java_sun_awt_image_ImagingLib_lookupByteBI heap buffer
overflow
   
   
1. Affected Software
JRE 7 update 21 and earlier
JRE 6 update 45 and earlier
   
   
2. Root cause analysis
   
The "Java_sun_awt_image_ImagingLib_lookupByteBI" performs byte lookup
operation on two BufferedImage.
   
In the following code:
   
 /* Mlib needs 16bit lookuptable and must be signed! */
    if (src->type == MLIB_SHORT) {
        unsigned short *sdataP = (unsigned short *) src->data;
        unsigned short *sP;
        if (dst->type == MLIB_BYTE) {
            unsigned char *cdataP  = (unsigned char *)  dst->data;
            unsigned char *cP;
            if (nbands > 1) {
                retStatus = 0;
            }
            else {
                int x, y;
                for (y=0; y < src->height; y++) {
                    cP = cdataP;
                    sP = sdataP;
                    for (x=0; x < src->width; x++) {
                        *cP++ = table[0][*sP++];
                    }
   
                    /*
                     * 4554571: increment pointers using the scanline stride
                     * in pixel units (not byte units)
                     */
                    cdataP += dstImageP->raster.scanlineStride;
                    sdataP += srcImageP->raster.scanlineStride;
                }
            }
        }
        /* How about ddata == null? */
    }
   
It tries to map data in src raster to the dst raster. The total bytes
written to dst rater buffer is:
(src->width) * (src->height). However, it does not correctly check the size
of the dst buffer, if the size of the
dst buffer is smaller than (src->width) * (src->height), it will be
overflowed.
   
   
3. Poc
See "TestByteBI.java" for the source code.
And you can test the poc by directly open the "HelloApplet.html" in a web
browser.
   
   
4. Tested on
JRE 7 update 21 on Windows 7 Enterprise

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PotPlayer 1.5.39036 (.wav) - C
·GreenBrowser 6.4.0515 - Heap O
·Wiz 5.0.3 User Mode Write Acce
·PWStore 2010.8.30.0 Cross Site
·HP LoadRunner lrFileIOService
·FuzeZip 1.0 SEH Buffer Overflo
·MS13-059 Microsoft Internet Ex
·WinArchiver 3.2 SEH Buffer Ove
·GOMPlayer 2.2.53.5169 (.wav) -
·Fog Dragonfly 0.8.2 Command In
·jetAudio 8.0.16.2000 Plus VX -
·freeFTPd 1.0.10 PASS Command S
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved