Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Java JNI/DNS Queries DoS

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Java JNI/DNS Queries DoS
Date: 17 Nov 2004 16:44:36 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Java JNI/DNS Queries DoS
------------------------------------------------------------------------


SUMMARY

Due to a programming flaw in the Java JVM code it is possible to force an 
unhandled exception on a Java application if the application is tricked 
into performing many DNS queries. The result is the immediate crashing of 
the Java application.

DETAILS

Vulnerable Systems:
 * Java Virtual Machine version 1.4.x, 1.5.0

Java uses an 'InitialDirContext' to perform DNS lookups. A wrap-around of 
an internal variable renders the context unusable after 32768 requests for 
the next 32768 requests. A remote attacker might trick an application into 
performing a lot of DNS requests which renders the application unusable. 
It might also be the cause of some problems with long running server 
processes.

After 32768 such DNS requests are done without creating a new 
InitialDirContext, Java will issue the following exception:

javax.naming.CommunicationException: DNS error: ID doesn't match;
remaining name 'sun.com'
        at com.sun.jndi.dns.DnsClient.checkHeader(DnsClient.java:426)
        at com.sun.jndi.dns.DnsClient.query(DnsClient.java:162)
        at com.sun.jndi.dns.Resolver.query(Resolver.java:63)
        at 
com.sun.jndi.dns.DnsContext.c_getAttributes(DnsContext.java:410)
        at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213)
        at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121)
        at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109)
        at
javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:121)
        at DNSLookupBug.main(DNSLookupBug.java:17)

In com/sun/jndi/dns/DnsClient.java, 'xid' is of type 'int' but initialized 
by the 'short' 'ident'. Thus if 'ident' reaches 32768, it becomes 
negative, rendering 'xid' negative to '-32768':
    private short ident = 0;           // used to set the msg ID field
[...]
        int xid;
        synchronized (identLock) {
            xid = ++ident;
        }

In the class com/sun/jndi/dns/Header.java, the answer from the DNS server 
is converted backwards but to an 'int' instead of a 'short':
   private static int getShort(byte[] msg, int pos) {
        return (((msg[pos] & 0xFF) << 8) |
                (msg[pos + 1] & 0xFF));
    }

The result of this method gives '32768' which is not equal to '-32768' and 
therefore the failure. A possible fix would be to replace in 
com/sun/jndi/dns/Header.java:
            xid = getShort(msg, pos);
with
            xid = (short) getShort(msg, pos);

Workaround
An application must be written in such a manner as to instantiate a new 
instance of 'InitialDirContext' before the limit of 32768 request is 
reached. Another solution would be to subclass InitialDirContext and let 
'xid' have only positive values.

Proof Of Concept
import java.util.*;
import javax.naming.directory.*;

public class DNSLookupBug {
    public static void main(String[] args) {
        try {
            final Hashtable env = new Hashtable();
            env.put("java.naming.factory.initial",
                    "com.sun.jndi.dns.DnsContextFactory");

            DirContext dnsContext = new InitialDirContext(env);

            final String[] domain = new String[] {"A"};
            for (int i = 0; i < 0xffff; i++) {
                dnsContext.getAttributes("sun.com", domain);
                if (i % 1000 == 0) {
                    // use this as a workaround
                    //dnsContext = new InitialDirContext(env);
                    System.out.println(i);
                }
            }

        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}


ADDITIONAL INFORMATION

The information has been provided by  <mailto:k.huwig@iku-ag.de> Kurt 
Huwig.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Java JNI/DNS Queries DoS, SecuriTeam <=
Previous by Date:  [UNIX] Multiple up-imapproxy DoS Vulnerabilities, SecuriTeam
Next by Date:  [NEWS] Insecure FTP Access in HP PSC 2510 Printers, SecuriTeam
Previous by Thread:  [UNIX] Multiple up-imapproxy DoS Vulnerabilities, SecuriTeam
Next by Thread:  [NEWS] Insecure FTP Access in HP PSC 2510 Printers, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]