Sun JDK image parsing vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Sun JDK image parsing vulnerabilities
From: "Chris Evans" <scarybeasts@xxxxxxxxx>
Date: Wed, 5 Mar 2008 18:04:32 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=UwKAgW7tnT4LT1kOnxcgAqM3DR9DtYAcNAJziW6XUGE=; b=dLOLRs9+MYs70862/l3vRwirGNxGA1nhRjfzak/epOqEjeh2DA8g9N1Et+ZK8ojTTYPt0+2Rd8gCG3Or/WAssVYp3EuPaKip0+hAdpz5xpHyaGiI6qplKO3kIf5c1Hb0Fv26+EmrJZpAGKEDQyBpFqZxbSXj/rfy4FFzHeWwM8Y=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=G5SssrUxZd1KVO7oIoIHUaoGNR1+RF+4jFu3GWiVtWDydWOdJ0CvT1JL4eY+6d6gKrFQvVkwH3N80v5xbQICYSau/mVLvnfWeuwJ/jYF+YQ4XzILiHA04wyKPNvd4DE/WYE2Y5RDnJoO+jwBJXuWiJ6ZXUAk5Ou/XitdxheHsH0=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hi,

A couple more JPEG ICC parsing bugs were fixed in the latest JDK updates.

Full technical details:
http://scary.beasts.org/security/CESA-2007-005.html

The most interesting part is the faulty code:
  Limit = SpGetUInt32 (Buf);
...
  UInt16Ptr = (KpUInt16_t *)SpMalloc (Limit * (KpInt32_t)sizeof (*UInt16Ptr));
...
  for (Index = 0; Index < Limit; Index++)
    *UInt16Ptr++ = SpGetUInt16 (Buf);
...

And the image to trigger:
http://scary.beasts.org/misc/jdk/evilicc2.jpg

Normally, the heap overflow would just terminate the process as the
copy length is kind of wild. However, JDK installs a SEGV handler
which accesses a lot of (potentially trashed) memory in the process of
putting together a meaningful crash dump. It's quite likely that this
makes the condition exploitable as per a previous bug in this area:
http://scary.beasts.org/security/CESA-2006-004.html

Blog post for all of the above:
http://scarybeastsecurity.blogspot.com/2008/03/sun-jdk-image-parsing-vulnerabilities.html

Cheers
Chris

Prev by Date: Re: Firewire Attack on Windows Vista
Next by Date: Checkpoint VPN-1 UTM Edge cross-site scripting
Previous by thread: [SECURITY] [DSA 1503-2] New Linux kernel 2.4.27 packages fix several issues
Next by thread: Checkpoint VPN-1 UTM Edge cross-site scripting
Index(es):
- Date
- Thread