Oracle Java lookUpByteBI - DoS PoC

:
06.09.2013
:
JRE 7 update <= 21; JRE 6 update <=45
:
:
Oracle Java

# Exploit Title: Oracle Java lookupByteBI function heap buffer overflow
# Google Dork:
# Date: 2013-09-03
# Exploit Author: GuHe
# Vendor Homepage: http://www.oracle.com/
# Software Link:
http://www.oracle.com/technetwork/java/javase/downloads/index.html
# Version: 7u21 and eariler
# Tested on: Windows 7
# CVE : CVE-2013-2470

PoC: http://www.exploit-db.com/sploits/28050.zip


CVE-2013-2470 - Java_sun_awt_image_ImagingLib_lookupByteBI heap buffer
overflow


1. Affected Software
JRE 7 update 21 and earlier
JRE 6 update 45 and earlier


2. Root cause analysis

The "Java_sun_awt_image_ImagingLib_lookupByteBI" performs byte lookup
operation on two BufferedImage.

In the following code:

/* Mlib needs 16bit lookuptable and must be signed! */
if (src->type == MLIB_SHORT) {
unsigned short *sdataP = (unsigned short *) src->data;
unsigned short *sP;
if (dst->type == MLIB_BYTE) {
unsigned char *cdataP = (unsigned char *) dst->data;
unsigned char *cP;
if (nbands > 1) {
retStatus = 0;
}
else {
int x, y;
for (y=0; y < src->height; y++) {
cP = cdataP;
sP = sdataP;
for (x=0; x < src->width; x++) {
*cP++ = table[0][*sP++];
}

/*
* 4554571: increment pointers using the scanline stride
* in pixel units (not byte units)
*/
cdataP += dstImageP->raster.scanlineStride;
sdataP += srcImageP->raster.scanlineStride;
}
}
}
/* How about ddata == null? */
}

It tries to map data in src raster to the dst raster. The total bytes
written to dst rater buffer is:
(src->width) * (src->height). However, it does not correctly check the size
of the dst buffer, if the size of the
dst buffer is smaller than (src->width) * (src->height), it will be
overflowed.


3. Poc
See "TestByteBI.java" for the source code.
And you can test the poc by directly open the "HelloApplet.html" in a web
browser.


4. Tested on
JRE 7 update 21 on Windows 7 Enterprise