• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Tim Cooke
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Knute Snortum
  • paul wheaton
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Tim Holloway
  • Carey Brown
  • salvin francis

ssl vulnerability - with java 1.6.14 - how to recreate?

 
Ranch Hand
Posts: 35
Chrome Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Using java 1.6.14 with jboss 4.3 ( i think server does not matter ) -

read about that the ssl vulnerability :

http://stackoverflow.com/questions/1623676/suns-java-ssl-implementation-is-leaking-memory

http://nuxx.net/blog/2012/02/20/ms12-006-and-http-408-errors/

http://support.microsoft.com/kb/2638806

http://technet.microsoft.com/en-us/security/bulletin/ms12-006



http://stackoverflow.com/questions/1623676/suns-java-ssl-implementation-is-leaking-memory

http://www-01.ibm.com/support/docview.wss?uid=swg1PK16095
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#descPhase2

what i want : a java or php script - that directly calls it self or a new java process (the new process will start a class based on your code too)
to make connections to the server that ask it to make a new SSL session, this increasing the RAM used by the JVM and crashing it eventually


Do not want a simple DOS attack. Each hit of this kind should increase the memory used by the JVM by a MB
So if the server has a max of 1GB, in about 800 or so hits it should max out. thanks

i tried making a simple ssl connection using :
1. URL
2. Socket
3. apache http client

but no go - ran it all night from 2 desktops hitting the server every second and memory is fine.

changing program to call a process - maybe if its a new jvm a new session is made. but out of ideas after that! any help will be appreciated. (looked at owasp and googled but did not find any thing like a test program to re create)
 
Tushar Kapila
Ranch Hand
Posts: 35
Chrome Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
https://wiki.mozilla.org/Security:Renegotiation has some background information

i guess the code to re negotiate is there in firefox - i need help for someone to identify a utility that can do that on demand!
 
author
Posts: 23838
141
jQuery Eclipse IDE Firefox Browser VI Editor C++ Chrome Java Linux Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tushar Kapila wrote:Using java 1.6.14 with jboss 4.3 ( i think server does not matter ) -

read about that the ssl vulnerability :

http://stackoverflow.com/questions/1623676/suns-java-ssl-implementation-is-leaking-memory

http://nuxx.net/blog/2012/02/20/ms12-006-and-http-408-errors/

http://support.microsoft.com/kb/2638806

http://technet.microsoft.com/en-us/security/bulletin/ms12-006



http://stackoverflow.com/questions/1623676/suns-java-ssl-implementation-is-leaking-memory

http://www-01.ibm.com/support/docview.wss?uid=swg1PK16095
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#descPhase2

what i want : a java or php script - that directly calls it self or a new java process (the new process will start a class based on your code too)
to make connections to the server that ask it to make a new SSL session, this increasing the RAM used by the JVM and crashing it eventually


Do not want a simple DOS attack. Each hit of this kind should increase the memory used by the JVM by a MB
So if the server has a max of 1GB, in about 800 or so hits it should max out. thanks


i tried making a simple ssl connection using :
1. URL
2. Socket
3. apache http client

but no go - ran it all night from 2 desktops hitting the server every second and memory is fine.

changing program to call a process - maybe if its a new jvm a new session is made. but out of ideas after that! any help will be appreciated. (looked at owasp and googled but did not find any thing like a test program to re create)




So.... you are asking for help here, because you want something much better than just a simple denial of serivce attack? Are you serious?

Henry
 
Tushar Kapila
Ranch Hand
Posts: 35
Chrome Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
its to test a specific vulnerability. the newer java's our supposed to have fixed it. just want a way to test our own UAT (old version and new) ...
 
If you live in a cold climate and on the grid, incandescent light can use less energy than LED. Tiny ad:
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!