RE: Java and buffer overflows

From: Zacharias Pigadas (z.pigadas@encode-sec.com)
Date: Fri Jun 28 2002 - 00:20:37 PDT

Next message: KF: "JNI and buffer overflows (was java and buffer overflows)"

Previous message: Michael Greenberg: "Re: OpenSSH Vulns (new?) Priv seperation"
In reply to: KF: "Re: Java and buffer overflows"
Next in thread: KF: "JNI and buffer overflows (was java and buffer overflows)"
Next in thread: Rafael Anschau: "Re: Java and buffer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

Basically JNI is an interface developed by SUN as a way to keep using legacy
applications through the advancements in technology and business processes
or if someone wants to access O/S or hardware specific info. All you need to
do is compile the c/c++ application in a loadable object and call it from
java. The steps you need to take are:

1. Write Java code that calls a native method through JNI.
2. Compile this Java code.
3. Create an .h file using javah.
4. You have (modify slightly) / create a C function that does the work.
5. Compile the C code into a loadable object (say DLL for the windows
oriented).

You can then try the java program.

I must say I do not prefer this way of doing things (although this is the
only way some times, depending in legacy application) as with this way you
don't solve existing bugs/problems you just move them forward.

You can also call scripting languages such as jpython from within java
programs provided someone (SUN) has written a scripting interface for the
two languages to communicate)

A good reference if you have access to the book is:

Java Cookbook Solutions and Examples for Java Developers by O'Reilly -
Chapter 26

Hope it sheds some light...

Best Regards,
Zach

-----------------------
Zacharias Pigadas

Information Security Consultant

ENCODE S.A.
3, R.Melodou Str
151 25 Marousi
Athens, Greece
Tel: +3010-6178410
Fax: +3010-6109579
web: www.encode-sec.com
------------------------

-----Original Message-----
From: KF [mailto:dotslashat_private]
Sent: Thursday, June 27, 2002 6:17 AM
To: Dave Aitel
Cc: Nelson Sampaio Araujo Junior; Rafael Anschau;
anschau.ezat_private; vuln-devat_private
Subject: Re: Java and buffer overflows

So what you are saying is that you found a buffer overflow in some code
that uses JNI? As in there was some c based code that the java invoked?
I am currious to see how this works.
-KF

Dave Aitel wrote:

>Although, as another poster said, native code invocation is going to
>continue to be a problem for managed languages such as Java and C# in
>the years to come.
>
>I've found a buffer overflow in native code invoked by a major
>application server that happened to be written in Java. It's fixed now,
>btw. :>
>
>-dave
>
>
>

Next message: KF: "JNI and buffer overflows (was java and buffer overflows)"
Previous message: Michael Greenberg: "Re: OpenSSH Vulns (new?) Priv seperation"
In reply to: KF: "Re: Java and buffer overflows"
Next in thread: KF: "JNI and buffer overflows (was java and buffer overflows)"
Next in thread: Rafael Anschau: "Re: Java and buffer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 10:41:35 PDT