Skip to content
cyberexploits
doswindowstext

Oracle Java lookUpByteBI - Heap Buffer Overflow

Oracle Java lookUpByteBI - Heap Buffer Overflow

Published on 2013-09-03

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/windows/dos/28050.txt7eac4c3a
raw
# Exploit Title: Oracle Java lookupByteBI function heap buffer overflow

# Google Dork:

# Date: 2013-09-03

# Exploit Author: GuHe

# Vendor Homepage: http://www.oracle.com/

# Software Link:

http://www.oracle.com/technetwork/java/javase/downloads/index.html

# Version: 7u21 and eariler

# Tested on: Windows 7

# CVE : CVE-2013-2470



PoC: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/28050.zip





CVE-2013-2470 - Java_sun_awt_image_ImagingLib_lookupByteBI heap buffer

overflow





1. Affected Software

JRE 7 update 21 and earlier

JRE 6 update 45 and earlier





2. Root cause analysis



The "Java_sun_awt_image_ImagingLib_lookupByteBI" performs byte lookup

operation on two BufferedImage.



In the following code:



 /* Mlib needs 16bit lookuptable and must be signed! */

    if (src->type == MLIB_SHORT) {

        unsigned short *sdataP = (unsigned short *) src->data;

        unsigned short *sP;

        if (dst->type == MLIB_BYTE) {

            unsigned char *cdataP  = (unsigned char *)  dst->data;

            unsigned char *cP;

            if (nbands > 1) {

                retStatus = 0;

            }

            else {

                int x, y;

                for (y=0; y < src->height; y++) {

                    cP = cdataP;

                    sP = sdataP;

                    for (x=0; x < src->width; x++) {

                        *cP++ = table[0][*sP++];

                    }



                    /*

                     * 4554571: increment pointers using the scanline stride

                     * in pixel units (not byte units)

                     */

                    cdataP += dstImageP->raster.scanlineStride;

                    sdataP += srcImageP->raster.scanlineStride;

                }

            }

        }

        /* How about ddata == null? */

    }



It tries to map data in src raster to the dst raster. The total bytes

written to dst rater buffer is:

(src->width) * (src->height). However, it does not correctly check the size

of the dst buffer, if the size of the

dst buffer is smaller than (src->width) * (src->height), it will be

overflowed.





3. Poc

See "TestByteBI.java" for the source code.

And you can test the poc by directly open the "HelloApplet.html" in a web

browser.





4. Tested on

JRE 7 update 21 on Windows 7 Enterprise
View on GitHub