Oracle Java lookUpByteBI - Heap Buffer Overflow

🗓️ 03 Sep 2013 00:00:00Reported by GuHeType

Oracle Java heap buffer overflow in lookupByteBI functio

Reporter	Title	Published	Views	Family All 220
0day.today	Oracle Java lookUpByteBI - Heap Buffer Overflow Vulnerability	3 Sep 201300:00	–	zdt
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM WebSphere Real Time	25 Sep 202221:06	–	ibm
IBM Security Bulletins	Security Bulletin: Potential security vulnerabilities with JavaTM SDKs	25 Sep 202221:06	–	ibm
IBM Security Bulletins	Security Bulletin: WebSphere Application Server - Oracle CPU shipped with Rational Application Developer for WebSphere Software June 2013 (CVE-2013-1571)	5 Feb 202000:09	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Tivoli Composite Application Manager for Transactions affected by vulnerabilities in IBM JRE (Multiple CVEs)	25 Sep 202221:06	–	ibm
IBM Security Bulletins	Security Bulletin: Tivoli Storage Productivity Center - Oracle CPU June 2013	26 Sep 202222:21	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in the IBM Java SDK	25 Sep 202221:06	–	ibm
IBM Security Bulletins	Security Bulletin: WebSphere Application Server - Oracle CPU shipped with Rational Developer for System z June 2013 (CVE-2013-1571)	27 Oct 202015:51	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Tivoli Monitoring clients affected by vulnerabilities in IBM JRE executed under a security manager.	26 Sep 202205:45	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Rational Functional Tester versions 8.x due to security vulnerabilities in IBM JRE 7.0 Service Release 4 Fix Pack 1 or earlier, and non-IBM Java 7.0	29 Sep 201820:06	–	ibm

# Exploit Title: Oracle Java lookupByteBI function heap buffer overflow
# Google Dork:
# Date: 2013-09-03
# Exploit Author: GuHe
# Vendor Homepage: http://www.oracle.com/
# Software Link:
http://www.oracle.com/technetwork/java/javase/downloads/index.html
# Version: 7u21 and eariler
# Tested on: Windows 7
# CVE : CVE-2013-2470

PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/28050.zip


CVE-2013-2470 - Java_sun_awt_image_ImagingLib_lookupByteBI heap buffer
overflow


1. Affected Software
JRE 7 update 21 and earlier
JRE 6 update 45 and earlier


2. Root cause analysis

The "Java_sun_awt_image_ImagingLib_lookupByteBI" performs byte lookup
operation on two BufferedImage.

In the following code:

 /* Mlib needs 16bit lookuptable and must be signed! */
    if (src->type == MLIB_SHORT) {
        unsigned short *sdataP = (unsigned short *) src->data;
        unsigned short *sP;
        if (dst->type == MLIB_BYTE) {
            unsigned char *cdataP  = (unsigned char *)  dst->data;
            unsigned char *cP;
            if (nbands > 1) {
                retStatus = 0;
            }
            else {
                int x, y;
                for (y=0; y < src->height; y++) {
                    cP = cdataP;
                    sP = sdataP;
                    for (x=0; x < src->width; x++) {
                        *cP++ = table[0][*sP++];
                    }

                    /*
                     * 4554571: increment pointers using the scanline stride
                     * in pixel units (not byte units)
                     */
                    cdataP += dstImageP->raster.scanlineStride;
                    sdataP += srcImageP->raster.scanlineStride;
                }
            }
        }
        /* How about ddata == null? */
    }

It tries to map data in src raster to the dst raster. The total bytes
written to dst rater buffer is:
(src->width) * (src->height). However, it does not correctly check the size
of the dst buffer, if the size of the
dst buffer is smaller than (src->width) * (src->height), it will be
overflowed.


3. Poc
See "TestByteBI.java" for the source code.
And you can test the poc by directly open the "HelloApplet.html" in a web
browser.


4. Tested on
JRE 7 update 21 on Windows 7 Enterprise

03 Sep 2013 00:00Current

7.8High risk

Vulners AI Score7.8

CVSS 210

EPSS0.54412