Java floating-point value denial of service vulnerability Hazard Analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201130221
Type myhack58
Reporter 佚名
Modified 2011-04-27T00:00:00



By emptiness prodigal heart

JAVA a vulnerability, the CVE-2 0 1 0-4 4 7 6, will result in a denial of service attack. Everyone from the Bulletin, to see such a piece of code, quite long. Meaning only the developers to write such code only on the server.

We certainly will first consider, such a long code, how many developers would be silly to write it out? And what do we not patch? In fact the authors know, there are still many companies that don't patch, but that's okay. you're going to hit.

First look at the official given code.

` Send a Java Program Into An Infinite Loop Compile this program and run it; the program will hang (at least it does on a 3 2-bit system with the latest JRE/JDK): class runhang { public static void main(String[] args) { System. out. println(“Test:”); double d = Double. parseDouble("2.2250738585072012 e-3 0 8"); System. out. println(“Value: ” + d); } }

Send the Java Compiler Into An Infinite Loop Try to compile this program; the compiler will hang: class compilehang { public static void main(String[] args) { double d = 2.2250738585072012 e-3 0 8; System. out. println(“Value: ” + d); } } `

The above code actually gave two examples, first a simplified bit of code:

This piece of code at compile time to hang out: double d = 2.2250738585072012 e-3 0 8; This piece of code at run time to hang out: double d = Double. parseDouble("2.2250738585072012 e-3 0 8"); Author strange the back of the System. out is what do you mean, according to the actual test as well as the official principle, this sentence could not be executed, there are already“infinite loop”, how could it go down? However, this is not important. Below said vulnerability refers to the assumption that our developers wrote“XXX”code, the attacker may attack our server. We have to push against the attack process, from vulnerability point of view on that, only to program the value passed in by the user control, it will cause the vulnerability to trigger, after all, the developers won't write directly this value. And compiled in the hang off, almost impossible to exist, it is difficult to have normal operations require the user to submit the code, let the server compile execution. So, vulnerability is generated only in this sentence: This piece of code at run time to hang out: double d = Double. parseDouble("2.2250738585072012 e-3 0 8"); Then once again push against, the requirements of the value of the user control, if the environment is a java web application, developers want to write vulnerable code, it must be so to engage: the This piece of code at run time to hang out: double d = Double. parseDouble(request. getParameter(“double”));

When a developer write such code, an attacker can submit:

Thus, the program will”hang!” (Actually, I don't know the meaning of the word, and hung up, on the surface can not see, but in fact your CPU will immediately 1 0 0%, The current thread go not go, the page freezes and does not give you any response. Of course, other pages might be good, because the web container is multi-threaded, unfortunately someone has 1 0 0%CPU, page speed can be imagined. A lot of people, on account of this section, unless the developers really write code like this, otherwise it is difficult to vulnerabilities, so there is no patch. Java web many years ago, are already beginning to go the framework route, we are familiar with the spring mvc, struts2, and webwork, etc., there's even some of the company's own implementation framework, such as Alibaba companies an open-source framework webx, communications what http://code. taobao. org/project/view/4 0 1/on. In such a framework, the developer is more likely to do it themselves escape, this is the frame responsible for their own. Is not means that the vulnerability can't exist? This is precisely the most terrible place, these frameworks are no developers involved in the type of the escape, the user would have to submit is a String of 2. 2250738585072012e-3 0 8, the framework will automatically escape as a Double, and after testing, all of the frameworks have automatic type escape otherwise the frame significance. The development of what are not need to do, as long as the action has an object, the object has a field of type double, and perhaps he does not need to define the object, the other the development of early defined, he need only write one action. For example: //Order processing action public class OrderAction extends ActionSupport{ //Order object public Order order; public String execute(){ return SUCCESS; } } //Order the contents of the object Public class Order{ //Previously there are other fields, where only say of type Double. Double money; }

This is a very common way to write, as long as the Order object, a field is a Double. We can to this action submit:

This“hang”. We can write a scanner, then what field is usually defined as a double? Scanner own catch page, grab the back of the input, if user. name, we guess the user object may exist in the money, there may be a score, a point, etc., and then make them equal to that value, the automatic submission. This is equivalent to hanging a dictionary, guess the object may exist in the double Type field. There are no online examples? 1 6 3 Netease treasure daily payment amount limitations: !

Normal case, fill in the $ 1 to see the effect:


Immediately came to the But we fill: 2.2250738585072012 e-3 0 8 !

Etc., etc., etc., etc.... and Wait until the flowers also thanks, still no response! You guess their server? Java web frameworks of the future, developers and architects have forgotten the escape type of thing, also do not need to do escaping, the code becomes more and more simple. The author in order to study the vulnerability, go ask some of the senior architects, and even thought that“development will not write code like this”, so our program is not affected. Eventually the author himself with the existing framework built environment, the CPU really ran to the 1 0 0 per cent, began to believe the exploit to the framework of the harm. The authors believe that the J2EE framework on the vulnerability of the perfect support, enough to make many portal the fall of. And this is just the start, you may have luck, andstill under a review and this vulnerability-related articlesthat will make you completely dispel the idea.