MessageUtils JVM crash
Marc Schoenefeld
mschoene at redhat.com
Wed Jun 17 08:40:09 UTC 2009
Hi Alan,
Alan Bateman wrote:
> I wasn't at the RSA conference in 2003 so it wasn't me :-) It may
> be that the attacks involved calling sun.* APIs directly, something
> that you can't do if there is a security manager. The XSLT issue is
> more significant and I'm pretty sure that specific issue was fixed a
> few years ago.
Even if there is a security manager, you need still to make sure that no
privileged code (having access rights to sun.*) forwards tainted data
to the
vulnerable sun.* functions.
Until 2007 you could use the sun.misc.MessageUtils.toStderr bug to
reliably crash OpenOffice in the OObase startup database/script
by calling sun.* via HSQLDB (CVE-2007-4575) .
SET DATABASE COLLATION "Latin1_General"
[...]
SELECT * FROM "FirstTable"
WHERE ID="sun.misc.MessageUtils.toStderr"(NULL);
To my knowledge Java in Openoffice still does not use a security manager
in all places yet, so this problem was fixed by blocking arbitrary
class access in HSQLDB.
So the intention is to finally fix the root cause, instead of
furthermore allowing this to cause trouble in unexpected places :)
> As regards sun.misc.MessageUtils, I don't see any problem fixing this.
> I notice the return from NewStringUTF isn't checked. Unfortunately
> this (very old) code is also missing checks for the calls to
> GetStringChars and malloc. Also, I assume that the additional \0 isn't
> needed.
unfortunately most of my JNI knowledge was acquired during the Java
1.1/1.2 era, so it may not be state-of-the-art anymore.
We also had an internal discussion about the \0 and decided to keep it
in the code. So I leave that up to you :)
> -Alan.
Best Regards
Marc
--
Marc Schoenefeld / Red Hat Security Response Team
More information about the core-libs-dev
mailing list