Re: Java and buffer overflows

From: Joe Testa (jtestaat_private)
Date: Wed Jun 26 2002 - 09:34:09 PDT

Next message: Peter Mueller: "RE: OpenSSH Vulns (new?) Priv seperation"

Previous message: Alex Balayan: "Re: Apache vulnerability checking"
In reply to: cyber_riderat_private: "Java and buffer overflows"
Next in thread: Dave Aitel: "Re: Java and buffer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

By Java's design, code execution is not possible by overflowing a
buffer.    However, the program probably doesn't catch
IndexOutOfBoundExceptions, so it will most likely result in a denial
of service.

I audited many Java HTTP and FTP servers in the past (in the span
of two weeks time--hey, I was on a roll...), and a lot of them
were affected by directory traversal vulnerabilities, which have
nothing to do with buffer overflows.

Hope this helps.

    - Joe Testa


GPG key:  http://www.cs.rit.edu/~jst3290/joetesta_r7.pub
A22B 2683 C40E 5443 AE52  AD6D 65B2 F5DF 4B11 06B4

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9GeyyZbL130sRBrQRAn9EAJ9aE4TGDYpYLC2PPptF7rdeA4eNpgCfQ3aL
Eo9OfN6vyHbXm3jd+LM7M0g=
=LW54
-----END PGP SIGNATURE-----

Next message: Peter Mueller: "RE: OpenSSH Vulns (new?) Priv seperation"
Previous message: Alex Balayan: "Re: Apache vulnerability checking"
In reply to: cyber_riderat_private: "Java and buffer overflows"
Next in thread: Dave Aitel: "Re: Java and buffer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 20:03:02 PDT