82 lines
No EOL
3.1 KiB
Text
82 lines
No EOL
3.1 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA1
|
|
|
|
+------------------------------------------------------------------------------+
|
|
| Packet Storm Advisory 2013-0819-1 |
|
|
| http://packetstormsecurity.com/ |
|
|
+------------------------------------------------------------------------------+
|
|
| Title: Oracle Java BytePackedRaster.verify() Signed Integer Overflow |
|
|
+--------------------+---------------------------------------------------------+
|
|
| Release Date | 2013/08/19 |
|
|
| Advisory Contact | Packet Storm (advisories@packetstormsecurity.com) |
|
|
| Researcher | Name Withheld |
|
|
+--------------------+---------------------------------------------------------+
|
|
| System Affected | Oracle Java |
|
|
| Versions Affected | Prior to 7u25 |
|
|
| Vendor Patched | 2013/06/18 |
|
|
| Classification | 0-day |
|
|
+--------------------+---------------------------------------------------------+
|
|
|
|
+----------+
|
|
| OVERVIEW |
|
|
+----------+
|
|
|
|
The release of this advisory provides exploitation details in relation to a
|
|
known patched vulnerability in Oracle Java. These details were obtained
|
|
through the Packet Storm Bug Bounty program and are being released to the
|
|
community.
|
|
|
|
+------------------------------------------------------------------------------+
|
|
|
|
+---------+
|
|
| DETAILS |
|
|
+---------+
|
|
|
|
The BytePackedRaster.verify() method in Oracle Java versions prior to 7u25
|
|
is vulnerable to a signed integer overflow that allows bypassing of
|
|
"dataBitOffset" boundary checks. This vulnerability allows for remote code
|
|
execution. User interaction is required for this exploit in that the target
|
|
must visit a malicious page or open a malicious file.
|
|
|
|
+------------------------------------------------------------------------------+
|
|
|
|
+------------------+
|
|
| PROOF OF CONCEPT |
|
|
+------------------+
|
|
|
|
The full exploit code that pops calc.exe is available here:
|
|
http://packetstormsecurity.com/files/122865/
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/27754.tgz
|
|
|
|
+------------------------------------------------------------------------------+
|
|
|
|
+---------------+
|
|
| RELATED LINKS |
|
|
+---------------+
|
|
|
|
http://www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html
|
|
|
|
+------------------------------------------------------------------------------+
|
|
|
|
|
|
+----------------+
|
|
| SHAMELESS PLUG |
|
|
+----------------+
|
|
|
|
The Packet Storm Bug Bounty program gives researchers the ability to profit
|
|
from their discoveries. You can get paid thousands of dollars for one day
|
|
and zero day exploits. Get involved by contacting us at
|
|
getpaid@packetstormsecurity.com or visit the bug bounty page at:
|
|
|
|
http://packetstormsecurity.com/bugbounty/
|
|
|
|
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v1.4.14 (GNU/Linux)
|
|
|
|
iEYEARECAAYFAlISqa4ACgkQrM7A8W0gTbG7lwCgrha8ukKjfCtKnsKEPZ5uMRSO
|
|
JAEAnjybqCvr9Xcu28TkXcFauIFx6FSq
|
|
=H4uL
|
|
-----END PGP SIGNATURE----- |