Re: Java and buffer overflows

From: Joe Testa (jtestaat_private)
Date: Wed Jun 26 2002 - 09:34:09 PDT

  • Next message: Peter Mueller: "RE: OpenSSH Vulns (new?) Priv seperation"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    By Java's design, code execution is not possible by overflowing a
    buffer.    However, the program probably doesn't catch
    IndexOutOfBoundExceptions, so it will most likely result in a denial
    of service.
    
    I audited many Java HTTP and FTP servers in the past (in the span
    of two weeks time--hey, I was on a roll...), and a lot of them
    were affected by directory traversal vulnerabilities, which have
    nothing to do with buffer overflows.
    
    Hope this helps.
    
        - Joe Testa
    
    
    GPG key:  http://www.cs.rit.edu/~jst3290/joetesta_r7.pub
    A22B 2683 C40E 5443 AE52  AD6D 65B2 F5DF 4B11 06B4
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)
    
    iD8DBQE9GeyyZbL130sRBrQRAn9EAJ9aE4TGDYpYLC2PPptF7rdeA4eNpgCfQ3aL
    Eo9OfN6vyHbXm3jd+LM7M0g=
    =LW54
    -----END PGP SIGNATURE-----
    



    This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 20:03:02 PDT