Oracle Java zip_util Off-By-One DoS

February 24, 2012

Java is a programming language originally developed by James Gosling at Sun Microsystems (which has since merged into Oracle Corporation) and released in 1995 as a core component of Sun Microsystems' Java platform. Java applications are typically compiled to bytecode (class file) that can run on any Java Virtual Machine (JVM) regardless of computer architecture. Java is a general-purpose, concurrent, class-based, object-oriented language that is specifically designed to have as few implementation dependencies as possible. Java has the following major versions:

  • JDK 1.0 (January 23, 1996)
  • JDK 1.1 (February 19, 1997)
  • J2SE 1.2 (December 8, 1998)
  • J2SE 1.3 (May 8, 2000)
  • J2SE 1.4 (February 6, 2002)
  • J2SE 5.0 (September 30, 2004)
  • Java SE 6 (December 11, 2006)
  • Java SE 7 (July 28, 2011)

Zip is a file format used for data compression and archiving. A zip file contains one or more files that have been compressed, to reduce file size, or stored as is. The zip file format permits a number of compression algorithms. A zip file consists of multiple concatenated sections, the structure of which is shown below.

 [local file header 1] [file data 1] [data descriptor 1] . . . [local file header n] [file data n] [data descriptor n] [archive decryption header] [archive extra data record] [central directory] [zip64 end of central directory record] [zip64 end of central directory locator] [end of central directory record] 

The tuple of local zip file header, file data and data descriptor is used to store each file in the archive and can be repeated as necessary. A local file header begins with a 4 byte section signature of 0x04034b50, therefore all zip files begin with this value (in little endian byte order). The sections described above may not be present in all zip files.

A stack overflow vulnerability exists in the zip utility libraries distributed with the Java Runtime Environment. When handling a zip file, the JRE zip utilities use the data provided in the zip file to calculate the number of entries. This may cause the infinite recursive loop and finally a stack overflow. A remote attacker could exploit this vulnerability by sending a crafted zip file. Successful exploitation will result in the application's termination.

SonicWALL UTM team has researched this vulnerability and released the following IPS signature to detect the attacks addressing this issue:

  • 7436 Oracle Java zip_util Off-By-One DoS

This vulnerability has been referred by CVE as CVE-2012-0501.