Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19351
HistoryMar 07, 2008 - 12:00 a.m.

Sun JDK image parsing vulnerabilities

2008-03-0700:00:00
vulners.com
18
JSON

Hi,

A couple more JPEG ICC parsing bugs were fixed in the latest JDK updates.

Full technical details:
http://scary.beasts.org/security/CESA-2007-005.html

The most interesting part is the faulty code:
Limit = SpGetUInt32 (Buf);

UInt16Ptr = (KpUInt16_t *)SpMalloc (Limit * (KpInt32_t)sizeof (*UInt16Ptr));

for (Index = 0; Index < Limit; Index++)
*UInt16Ptr++ = SpGetUInt16 (Buf);

And the image to trigger:
http://scary.beasts.org/misc/jdk/evilicc2.jpg

Normally, the heap overflow would just terminate the process as the
copy length is kind of wild. However, JDK installs a SEGV handler
which accesses a lot of (potentially trashed) memory in the process of
putting together a meaningful crash dump. It's quite likely that this
makes the condition exploitable as per a previous bug in this area:
http://scary.beasts.org/security/CESA-2006-004.html

Blog post for all of the above:
http://scarybeastsecurity.blogspot.com/2008/03/sun-jdk-image-parsing-vulnerabilities.html

Cheers
Chris

JSON