Oracle Java BytePackedRaster. verify () signature Integer Overflow
Release date:
Updated on: 2013-08-20
Affected Systems:
Oracle Java <7u25
Description:
--------------------------------------------------------------------------------
Java is the foundation of networked applications and a global standard for developing and providing mobile applications, games, Web-based content, and enterprise software.
The BytePackedRaster. verify () method in Oracle Java earlier than 7u25 has the signature integer overflow vulnerability. This vulnerability allows you to bypass the "dataBitOffset" boundary check and remotely execute arbitrary code.
<* Source: Packet Storm (advisories@packetstormsecurity.com)
Link: http://seclists.org/fulldisclosure/2013/Aug/211? Utm_source = twitterfeed & utm_medium = twitter
Http://www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Packet Storm (advisories@packetstormsecurity.com) provides the following test methods:
Http://packetstormsecurity.com/files/122865/
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Oracle
------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html