82 lines
No EOL
3.2 KiB
Text
82 lines
No EOL
3.2 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA1
|
|
|
|
+------------------------------------------------------------------------------+
|
|
| Packet Storm Advisory 2013-0917-1 |
|
|
| http://packetstormsecurity.com/ |
|
|
+------------------------------------------------------------------------------+
|
|
| Title: Oracle Java ShortComponentRaster.verify() Memory Corruption |
|
|
+--------------------+---------------------------------------------------------+
|
|
| Release Date | 2013/09/17 |
|
|
| Advisory Contact | Packet Storm (advisories@packetstormsecurity.com) |
|
|
| Researcher | Name Withheld |
|
|
+--------------------+---------------------------------------------------------+
|
|
| System Affected | Oracle Java |
|
|
| Versions Affected | Prior to 7u25 |
|
|
| Vendor Patched | 2013/06/18 |
|
|
| Classification | 0-day |
|
|
+--------------------+---------------------------------------------------------+
|
|
|
|
+----------+
|
|
| OVERVIEW |
|
|
+----------+
|
|
|
|
The release of this advisory provides exploitation details in relation to a
|
|
known patched vulnerability in Oracle Java. These details were obtained
|
|
through the Packet Storm Bug Bounty program and are being released to the
|
|
community.
|
|
|
|
+------------------------------------------------------------------------------+
|
|
|
|
+---------+
|
|
| DETAILS |
|
|
+---------+
|
|
|
|
The ShortComponentRaster.verify() method in Oracle Java versions prior to 7u25
|
|
is vulnerable to a memory corruption vulnerability that allows bypassing of
|
|
"dataOffsets[]" boundary checks when the "numDataElements" field is 0. This
|
|
vulnerability allows for remote code execution. User interaction is required
|
|
for this exploit in that the target must visit a malicious page or open a
|
|
malicious file.
|
|
|
|
+------------------------------------------------------------------------------+
|
|
|
|
+------------------+
|
|
| PROOF OF CONCEPT |
|
|
+------------------+
|
|
|
|
The full exploit code that pops calc.exe is available here:
|
|
|
|
http://packetstormsecurity.com/files/123263/
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/28331.tgz
|
|
|
|
+------------------------------------------------------------------------------+
|
|
|
|
+---------------+
|
|
| RELATED LINKS |
|
|
+---------------+
|
|
|
|
http://www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html
|
|
|
|
+------------------------------------------------------------------------------+
|
|
|
|
|
|
+----------------+
|
|
| SHAMELESS PLUG |
|
|
+----------------+
|
|
|
|
The Packet Storm Bug Bounty program gives researchers the ability to profit
|
|
from their discoveries. You can get paid thousands of dollars for one day
|
|
and zero day exploits. Get involved by contacting us at
|
|
getpaid@packetstormsecurity.com or visit the bug bounty page at:
|
|
|
|
http://packetstormsecurity.com/bugbounty/
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v1.4.14 (GNU/Linux)
|
|
|
|
iEYEARECAAYFAlI33ckACgkQrM7A8W0gTbHNzQCeOF96AHgyotSfrnyH6/LRYLnT
|
|
NT4An3Q9ROmph1+K/voONZE/MDxpDCxW
|
|
=wVjP
|
|
-----END PGP SIGNATURE----- |