Re: Java and buffer overflows

From: Dave Aitel (dave@immunitysec.com)
Date: 06/26/02 

From: Dave Aitel <dave@immunitysec.com>
To: Nelson Sampaio Araujo Junior <nelson@lunenetworks.com.br>
Date: 26 Jun 2002 13:08:18 -0400

Although, as another poster said, native code invocation is going to
continue to be a problem for managed languages such as Java and C# in
the years to come.

I've found a buffer overflow in native code invoked by a major
application server that happened to be written in Java. It's fixed now,
btw. :>

-dave

On Tue, 2002-06-25 at 20:40, Nelson Sampaio Araujo Junior wrote:
> Hi,
>
> > I heard thatt java is invulnerable to bofs
> > Has anyone succefully exploited a bof in java ?
>
> Please notice that buffer overflow is only one way of software exploitation.
> Generalizing the concept, any procedure that makes a software work badly,
> and if possible be directed to do something you want (and obviously not
> authorized), can be considered exploitation.
>
> Please does not sit down and relax just because Java should not have buffer
> overflows. There are inifinite ways of directing a software to do something
> bad or not expected, and once more, buffer overflows (or overruns if you
> prefer) is *just* one option.
>
> Regards,
>
> Nelson Junior
> nelson@lunenetworks.com.br
> nelson@LUNE.com.br
>
>

Relevant Pages

  • Re: IP Level Encryption
    ... The memory used by process A can be claimed by another process B ... >> will enable an attacker to execute arbitrary code, in Java this is ... any buffer overflow is detected and there is no ... Although I am also fond of Delphi, I don't think that it is a full ...
    (sci.crypt)
  • RE: Stack Overflow
    ... I am hardly a java expert myself, however in _theory_ a buffer overflow is ... possible in any language (assuming the underlying chip's instruction set ...
    (Security-Basics)
  • Re: Java and buffer overflows
    ... So what you are saying is that you found a buffer overflow in some code ... that uses JNI? ... As in there was some c based code that the java invoked? ... >Although, as another poster said, native code invocation is going to ...
    (Vuln-Dev)
  • Re: Ideal computer language from scratch?
    ... Impervious to Buffer Overflow bugs. ... The concept of portable GUIs didn't exist, to my knowledge, 20 years ... of some kind (Java, POSIX / C) ... just about every compiled language had these? ...
    (alt.lang.asm)
  • Re: Web-Development in C?
    ... Java ging von dem Konzept aus, ... "Kindern" gebastelt wird. ... "A patched buffer overflow doesn't mean that there's one less way ...
    (de.comp.lang.c)