RE: Java and buffer overflows

From: Zacharias Pigadas (z.pigadas@encode-sec.com)
Date: Fri Jun 28 2002 - 00:20:37 PDT

  • Next message: KF: "JNI and buffer overflows (was java and buffer overflows)"

    Hello,
    
    Basically JNI is an interface developed by SUN as a way to keep using legacy
    applications through the advancements in technology and business processes
    or if someone wants to access O/S or hardware specific info. All you need to
    do is compile the c/c++ application in a loadable object and call it from
    java. The steps you need to take are:
    
    1. Write Java code that calls a native method through JNI.
    2. Compile this Java code.
    3. Create an .h file using javah.
    4. You have (modify slightly) / create a C function that does the work.
    5. Compile the C code into a loadable object (say DLL for the windows
    oriented).
    
    You can then try the java program.
    
    I must say I do not prefer this way of doing things (although this is the
    only way some times, depending in legacy application) as with this way you
    don't solve existing bugs/problems you just move them forward.
    
    You can also call scripting languages such as jpython from within java
    programs provided someone (SUN) has written a scripting interface for the
    two languages to communicate)
    
    A good reference if you have access to the book is:
    
    Java Cookbook Solutions and Examples for Java Developers by O'Reilly -
    Chapter 26
    
    Hope it sheds some light...
    
    Best Regards,
    Zach
    
    -----------------------
    Zacharias Pigadas
    
    Information Security Consultant
    
    ENCODE S.A.
    3, R.Melodou Str
    151 25 Marousi
    Athens, Greece
    Tel: +3010-6178410
    Fax: +3010-6109579
    web: www.encode-sec.com
    ------------------------
    
    
    -----Original Message-----
    From: KF [mailto:dotslashat_private]
    Sent: Thursday, June 27, 2002 6:17 AM
    To: Dave Aitel
    Cc: Nelson Sampaio Araujo Junior; Rafael Anschau;
    anschau.ezat_private; vuln-devat_private
    Subject: Re: Java and buffer overflows
    
    
    So what you are saying is that you found a buffer overflow in some code
    that uses JNI? As in there was some c based code that the java invoked?
    I am currious to see how this works.
    -KF
    
    
    Dave Aitel wrote:
    
    >Although, as another poster said, native code invocation is going to
    >continue to be a problem for managed languages such as Java and C# in
    >the years to come.
    >
    >I've found a buffer overflow in native code invoked by a major
    >application server that happened to be written in Java. It's fixed now,
    >btw. :>
    >
    >-dave
    >
    >
    >
    



    This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 10:41:35 PDT