lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.A41.4.44.0310260056010.56866-100000@zivunix.uni-muenster.de>
Date: Sun, 26 Oct 2003 01:20:14 +0200 (MES)
From: Marc Schoenefeld <schonef@...-muenster.de>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.netsys.com
Subject: Java 1.4.2_02 InsecurityManager JVM crash


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

 Java 2 Security Managers are objects that should enforce
 system integrity and safety. Everyone would expect that
 the provided base classes from the JDK are therefore a
 role model for code quality and stability. But that's
 all theory. Let's do some practice:

 Imagine a lazy implementor (like me) of a SecurityManager,
 he codes the following:

 /* InsecurityManager-Demonstration  */
 /* coded by Marc Schoenefeld        */
 public class InSecurityManager extends SecurityManager {

       public void doit() {
       	          System.out.println("doit");
       		  int o = classDepth(null);
       }

   public static void main(String[] a) {
   	InSecurityManager m =  new InSecurityManager();
   	m.doit();
   }
}
 When you run the class with the command

 java InSecurityManager

 you get a jvm crash, instead of  a null pointer exception.
 I tested this with the latest 1.3.1,1.4.1,1.4.2 implementations.
 All Sun implementations crash, the IBM 1.4.1 (comes with
 Websphere or Cloudscape) is stable.

 This sample of code will do no harm to productive environments,
 because you cannot instantiate a second security manager, but
 it may be a snapshot of the inner condition of jvm security.

 Lesson learned: Do not believe white papers or specifications,
 test the implementation and report bugs to the vendor. Choose
 a stable implementation.

 Sincerely
 Marc Schoenefeld


- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (AIX)
Comment: For info see http://www.gnupg.org

iD8DBQE/mwUxqCaQvrKNUNQRApt/AJ9uwaavBSTpMFa9vZ+BhwBDNxD8sACaA3DZ
E3sLSXijpoAjR1iOdC1FGPo=
=TYLu
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ