0

Is it possible to exploit a vulnerable application that is running inside a process virtual machine?

Let's say that we have buffer overflow vulnerability in a Java application but the JVM isn't vulnerable. Is there a way to exploit it?

Eric G
  • 9,701
  • 4
  • 31
  • 59
user46969
  • 11
  • 1
  • 1
  • VM and JVM are two different concepts. Did you mean to equate them? – schroeder May 20 '14 at 21:10
  • I mean the Java Virtual Machine. The virtual machine of .NET and python/ruby interpreter etc... – user46969 May 20 '14 at 21:11
  • How would you propose to have a buffer overflow in a Java application? Assuming that you're not using JNI of course, in which case you'd be outside of the JVM. – Xander May 20 '14 at 21:20
  • Well let's say that the array get out of length? – user46969 May 20 '14 at 21:22
  • An index out of bounds error in a managed-memory runtime like Java or .Net is not a buffer overflow vulnerability. Not even close. It is an exception, but it isn't a vulnerability. – Xander May 20 '14 at 21:29
  • So basicly there's no way to exploit buffer overflow or format string in such application? – user46969 May 20 '14 at 21:31
  • That is correct. Because there are no buffer overflows in the first place. – Xander May 20 '14 at 21:32
  • Well, if you want you can post this as answer to give you "best answer" =) – user46969 May 20 '14 at 21:38
  • you can try the com.sun.Unsafe Class where you gain direct access to the Memory and can allocate yourself http://java.dzone.com/articles/understanding-sunmiscunsafe – Serverfrog May 21 '14 at 00:07

2 Answers2

4

It is not possible to have a buffer overflow vulnerability in a managed memory environment such as Java, .Net, or Python provide. Since the runtime, not the developers manage memory allocations and deallocations, this class of vulnerability is non-existent.

That said, there are vulnerabilities in these environments, but the JVM (or equivalent) is relatively immaterial. For instance, Java has trouble preventing applets from escaping the sandbox and ASP.NET suffered from a padding oracle.

So, any language offers the potential for exploits aplenty. Managed-memory languages simply eliminate the vulnerabilities specific to manual memory management such as buffer overflows. Even this, however, is only true within the runtime environment. Java allows you to run unsafe code outside of the JVM via JNI, and .Net offers the same via P/Invoke or COM-Interop. Again, in these instances, the runtime isn't significant, as it's being entirely bypassed.

Community
  • 1
Xander
  • 35,616
  • 27
  • 114
  • 141
  • So, the answer is 'yes'? It is possible to exploit a vulnerability of code even though it is in a sandbox? But certain vulnerabilities are prevented, if the sandbox is configured correctly? – schroeder May 20 '14 at 23:03
  • Yes, in both cases. The vulnerabilities related to sandbox configuration are, as you suggest, only a subset of potential vulnerabilities, however. – Xander May 20 '14 at 23:43
1

If an application is vulnerable, it is by definition exploitable. You say an app is "vulnerable", but it's really a shortening of the phrase "vulnerable to exploitation." The two concepts are roughly synonymous.

The vulnerability takes the framework into consideration. You don't see buffer overflow exploits in Python programs because the framework protects against that. But it doesn't implicitly protect against injection attacks or insecure storage, so you expect to see exploits targeting those areas instead.

Note that the framework doesn't have any vulnerability; Python isn't susceptible to injection attacks, nor is Java, but neither framework protects against those attacks the same way they do for buffer overflows. So while the Python isn't vulnerable, a program written in Python could be.

tylerl
  • 82,665
  • 26
  • 149
  • 230