|
|
|
Monday, 07 February 2011 02:51 |
// Harden JDK against Double.parseDouble DoS
#!/usr/bin/bash
echo "[*] harden_against_jre_double_dos.sh"
# Name: harden_against_jre_double_dos.sh
cat <This script constructs a patch jar that could be used
to temporary mitigate the DoS bug in java.lang.Double
with numbers like 2.2250738585072012e-308.
Author : Marc Schoenefeld, marc.schoenefeld at gmx dot org
Created : 2011-02-07
Ad : Please check out my Java security training at CanSecWest 2011
(http://cansecwest.com/dojos/2011/csw_2_11.html)
ABOUT
SRCTARBALL=openjdk-6-src-b21-20_jan_2011.tar.gz
UPSTREAMLOC=http://download.java.net/openjdk/jdk6/promoted/b21/$SRCTARBALL
SRCFILE=FloatingDecimal.java
CLASSLOC=sun/misc
DIRPREF=jdk/src/share/classes
DIRLOC=$DIRPREF/$CLASSLOC
FILELOC=$DIRLOC/$SRCFILE
WORKDIR=new
PATCHJAR=prevent_double_dos.jar
#=======modify above this line only, otherwise ymmv ============
#rm -r new jdk
echo "[*] Getting src tarball : $SRCTARBALL"
if [ ! -f $SRCTARBALL ]
then
wget $UPSTREAMLOC
fi
md5sum $SRCTARBALL
echo "(should be 595125cd17441122074a4fe0f78c0252)"
#tar tvfz openjdk-6-src-b21-20_jan_2011.tar.gz | grep FloatingDecimal.java
echo "[*] Extracting : $FILELOC"
if [ ! -f $FILELOC ]
then
tar xvfz $SRCTARBALL $FILELOC
fi
md5sum $FILELOC
echo "(should be 258aea46a9ee3464e327a6aea3ba2071)"
#grep expBias jdk/src/share/classes/sun/misc/FloatingDecimal.java | grep "bigIntExp > -expBias"
echo "[*] Patching $FILELOC to $WORKDIR/$FILELOC"
mkdir -p $WORKDIR/$DIRLOC
sed s/bigIntExp\ \>\ -expBias/\ bigIntExp-1\ \>\ -expBias/g $FILELOC > $WORKDIR/$FILELOC
# http://old.nabble.com/Fix-for-JDK-Double.parseDouble-infinite-loop-td30827457.html patch posted by Andrew P. Haley
#- if ( (bigIntNBits == 1) && (bigIntExp > -expBias) ){
#+ if ( (bigIntNBits == 1) && (bigIntExp-1 > -expBias) ){
echo "[*] Compiling $FILELOC to $WORKDIR/$FILELOC (expect warnings)"
javac $WORKDIR/$FILELOC
ls -l $WORKDIR/$DIRLOC/*
echo "[*] Building patch jar: $PATCHJAR"
if [ ! -f $PATCHJAR ]
then
cd $WORKDIR/$DIRPREF
jar cvf $PATCHJAR $CLASSLOC/*.class
cp $PATCHJAR ../../../../../
cd ../../../../../
fi
ls -l $PATCHJAR
echo "[*] Dropping runtime testfile: runhang.java"
if [ ! -f runhang.java ]
then
cat > runhang.java <class runhang {
public static void main(String[] args) {
System.out.println("Test:");
double d = Double.parseDouble("2.2250738585072012e-308");
System.out.println("Value: " + d);
}
}
TESTFILE
fi
ls -l runhang.*
if [ ! -f compilehang.java ]
then
cat > compilehang.java << TESTFILE2
class compilehang {
public static void main(String[] args) {
double d = 2.2250738585072012e-308;
System.out.println("Value: " + d);
}
}
TESTFILE2
fi
if [ ! -f runhang.class ]
then
javac runhang.java
fi
echo "[*] TEST ======================"
# add -verbose to command line to see where jar is coming from
echo "[*] running 'java' with patched classpath for runtime:"
java -Xbootclasspath/p:prevent_double_dos.jar runhang
echo "[*] running 'javac' with patched classpath for devtime:"
javac -J-Xbootclasspath/p:prevent_double_dos.jar compilehang.java
ls -l compilehang.*
echo "[!]running unpatched 'java': (this never returns, press ^C when done waiting)"
java runhang
# remove intermediates: rm -r new jdk *.class prevent_double_dos.jar
 Read more: |
|
|
Friday, 30 July 2010 15:07 |
|
Simple Patch Tools
Creating: When all you want to do is build a patch file that contains only the changes you've made today. Installing: I typically want to take a backup of the files that are going to be overwritten so that I can quickly undo the patch if necessary. Read more: |
|
|
|
|
|
|