As someone else said before, the VM/interpreter of our java classes is who's gonna check the code in interpretation/execution time. This message is a tipical java error message, in this case because of an intepreter thrown exception... but actually it doesn't mean that we can overwrite a damn byte. Actually, the VM may have some bug, but since it's not setuid on any system by default... The real danger around VM's I think are the web browser's pluggins. As any other language, the real security uses to come from designers and developers and not from the language itself. Cheers. Anibal Ambertin. ----- Original Message ----- From: "KF" <dotslashat_private> To: <felixat_private> Cc: <vuln-devat_private> Sent: Tuesday, June 25, 2002 12:40 AM Subject: Re: Java and buffer overflows > Not sure if this helps .... I was trying to come up with a scenario that > passed user input to a buffer but the compiler kept barking at me so > this is the best I can do. > > [root@qa5 root]# cat test.java > class test > { > public static void main(String args[]) > { > > String[] test = new String[4]; > test[0] = "A"; > test[1] = "A"; > test[2] = "A"; > test[3] = "A"; > test[4] = "A"; > test[5] = "A"; > test[6] = "A"; > } > } > > > [root@rcmqa5 root]# javac test.java > [root@rcmqa5 root]# java test > Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 4 > at test.main(test.java:11) > > -KF > > > Felix Harris wrote: > > >>I was wondering if code written in JAVA(or .NET) is vulnerable to buffer overflows. > >>If yes,what are the differences in the proccess of exploiting? > >>Any online source? > >> > > > > > >well afaik one of the main reasons for creating Java was to make it > >a safe language, as there is no complications between pointers > >and buffers. Buffers are also lengthchecked, and pointers dont > >really have the required scope to be exploited. If there was an > >exploit for a java program, it would probably exist as a bug in the > >virtual machine, or in a call to a c/c++ program/library. IIRC, there > >was something about zlib being exploitable? > >-- > >Felix Harris > >felixat_private > >I say goodbye and raindrops taste like tears > >In the pouring rain I stand and die alone > > > > > >
This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 21:23:59 PDT