Re: Java and buffer overflows

From: KF (dotslashat_private)
Date: Mon Jun 24 2002 - 20:40:07 PDT

  • Next message: wirepair: "OpenSSH Vulns (new?) Priv seperation"

    Not sure if this helps .... I was trying to come up with a scenario that 
    passed user input to a buffer but the compiler kept barking at me so 
    this is the best I can do.
    
    [root@qa5 root]# cat test.java
    class test
    {
            public static void main(String args[])
            {
    
                    String[] test = new String[4];
                    test[0] = "A";
                    test[1] = "A";
                    test[2] = "A";
                    test[3] = "A";
                    test[4] = "A";
                    test[5] = "A";
                    test[6] = "A";
            }
    }
    
    
    [root@rcmqa5 root]# javac test.java
    [root@rcmqa5 root]# java test
    Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 4
            at test.main(test.java:11)
    
    -KF
    
    
    Felix Harris wrote:
    
    >>I was wondering if code written in JAVA(or .NET) is vulnerable to buffer overflows.
    >>If yes,what are the differences in the proccess of exploiting?
    >>Any online source?
    >>
    >
    >
    >well afaik one of the main reasons for creating Java was to make it 
    >a safe language, as there is no complications between pointers 
    >and buffers. Buffers are also lengthchecked, and pointers dont 
    >really have the required scope to be exploited. If there was an 
    >exploit for a java program, it would probably exist as a bug in the 
    >virtual machine, or in a call to a c/c++ program/library. IIRC, there 
    >was something about zlib being exploitable?
    >--
    >Felix Harris
    >felixat_private
    >I say goodbye and raindrops taste like tears
    >In the pouring rain I stand and die alone
    >
    >
    



    This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 09:31:46 PDT