exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

java.util.zip Denial Of Service

java.util.zip Denial Of Service
Posted Feb 17, 2012
Authored by Timo Warns | Site pre-cert.de

PRE-CERT Security Advisory - The function countCENHeaders() in zip_util.c of the java.util.zip implementation contains an off-by-one bug. The bug can be exploited via corrupted ZIP files to cause an endless recursion. The endless recursion results in a segmentation fault of the JVM. Oracle Java SE and IcedTea6 have multiple affected versions.

tags | advisory, java
advisories | CVE-2012-0501
SHA-256 | b5f37a7f307a6f81bd2dc8df66689823d138dc57ed9df9c9fb504453144b4fc0

java.util.zip Denial Of Service

Change Mirror Download
PRE-CERT Security Advisory
==========================

* Advisory: PRE-SA-2012-01
* Released on: 16th February 2012
* Affected products: Oracle Java SE 7 below Update 3
Oracle Java SE 6 below Update 31
IcedTea6 1.8.x below 1.8.13
IcedTea6 1.9.x below 1.9.13
IcedTea6 1.10.x below 1.10.6
IcedTea6 1.11.x below 1.11.1
IcedTea 2.x below 2.0.1
Older versions may also be affected.
* Impact: denial-of-service
* Origin: java.util.zip
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2012-0501


Summary
-------

The function countCENHeaders() in zip_util.c of the java.util.zip
implementation contains an off-by-one bug. The bug can be exploited via
corrupted ZIP files to cause an endless recursion. The endless recursion
results in a segmentation fault of the JVM.

The following assessment is based on the JDK sources available from
Oracle's website (jdk-6u23-fcs-src-b05-jrl-12_nov_2010.jar).

readCEN() in zip_util.c is used by java.util.zip to read the central
directory of ZIP files.

It reads the total number of entries from the ZIP file via the
ENDTOT field:

(543) total = (knownTotal != -1) ? knownTotal : ENDTOT(endbuf);

A corrupted ZIP file may have set the total number of entries to 0.
Alternatively, knownTotal may have been passed as a parameter with
value 0.

readCEN() iterates over all directory entries

(552) for (i = 0, cp = cenbuf; cp <= cenend - CENHDR; i++, cp +=
CENSIZE(cp)) {

and recognizes an incorrect total field

(557) if (i >= total) {

In this case, readCEN() counts the total number of fields via
countCENHeaders() before calling itself recursively

(561) cenpos = readCEN(zip, countCENHeaders(cenbuf, cenend));

However, countCENHeaders() has an off-by-one bug. It fails to count
an entry that is precisely CENHDR bytes long

(431) for (i = 0; i + CENHDR < end - beg; i += CENSIZE(beg + i))

and returns 0 in this case.

Hence, readCEN() is called recursively with knownTotal = 0 resulting
in an endless recursion.


Solution
--------

The issue was fixed in the following versions:
Oracle Java SE 7 Update 3
Oracle Java SE 6 Update 31
IcedTea6 1.8.13
IcedTea6 1.9.13
IcedTea6 1.10.6
IcedTea6 1.11.1
IcedTea 2.0.1
IcedTea 2.1


References
----------

http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html
http://blog.fuseyism.com/index.php/2012/02/15/security-icedtea6-1-8-13-1-9-13-1-10-6-and-icedtea-2-0-1-released/
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-February/017233.html
http://blog.fuseyism.com/index.php/2012/02/15/icedtea-2-1-released-openjdk7-u3-release/

When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:

http://www.pre-cert.de/advisories/PRE-SA-2012-01.txt


Contact
--------

PRE-CERT can be reached under precert@pre-secure.de. For PGP key
information, refer to http://www.pre-cert.de/.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close