• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Liutauras Vilda
  • Henry Wong
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Al Hobbs
  • Carey Brown
Bartenders:
  • Piet Souris
  • Mikalai Zaikin
  • Himai Minh

ssl vulnerability - with java 1.6.14 - how to recreate?

 
Ranch Hand
Posts: 36
Chrome Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Using java 1.6.14 with jboss 4.3 ( i think server does not matter ) -

read about that the ssl vulnerability :

http://stackoverflow.com/questions/1623676/suns-java-ssl-implementation-is-leaking-memory

http://nuxx.net/blog/2012/02/20/ms12-006-and-http-408-errors/

http://support.microsoft.com/kb/2638806

http://technet.microsoft.com/en-us/security/bulletin/ms12-006



http://stackoverflow.com/questions/1623676/suns-java-ssl-implementation-is-leaking-memory

http://www-01.ibm.com/support/docview.wss?uid=swg1PK16095
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#descPhase2

what i want : a java or php script - that directly calls it self or a new java process (the new process will start a class based on your code too)
to make connections to the server that ask it to make a new SSL session, this increasing the RAM used by the JVM and crashing it eventually


Do not want a simple DOS attack. Each hit of this kind should increase the memory used by the JVM by a MB
So if the server has a max of 1GB, in about 800 or so hits it should max out. thanks

i tried making a simple ssl connection using :
1. URL
2. Socket
3. apache http client

but no go - ran it all night from 2 desktops hitting the server every second and memory is fine.

changing program to call a process - maybe if its a new jvm a new session is made. but out of ideas after that! any help will be appreciated. (looked at owasp and googled but did not find any thing like a test program to re create)
 
Tushar Kapila
Ranch Hand
Posts: 36
Chrome Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
https://wiki.mozilla.org/Security:Renegotiation has some background information

i guess the code to re negotiate is there in firefox - i need help for someone to identify a utility that can do that on demand!
 
author
Posts: 23926
142
jQuery Eclipse IDE Firefox Browser VI Editor C++ Chrome Java Linux Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tushar Kapila wrote:Using java 1.6.14 with jboss 4.3 ( i think server does not matter ) -

read about that the ssl vulnerability :

http://stackoverflow.com/questions/1623676/suns-java-ssl-implementation-is-leaking-memory

http://nuxx.net/blog/2012/02/20/ms12-006-and-http-408-errors/

http://support.microsoft.com/kb/2638806

http://technet.microsoft.com/en-us/security/bulletin/ms12-006



http://stackoverflow.com/questions/1623676/suns-java-ssl-implementation-is-leaking-memory

http://www-01.ibm.com/support/docview.wss?uid=swg1PK16095
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#descPhase2

what i want : a java or php script - that directly calls it self or a new java process (the new process will start a class based on your code too)
to make connections to the server that ask it to make a new SSL session, this increasing the RAM used by the JVM and crashing it eventually


Do not want a simple DOS attack. Each hit of this kind should increase the memory used by the JVM by a MB
So if the server has a max of 1GB, in about 800 or so hits it should max out. thanks


i tried making a simple ssl connection using :
1. URL
2. Socket
3. apache http client

but no go - ran it all night from 2 desktops hitting the server every second and memory is fine.

changing program to call a process - maybe if its a new jvm a new session is made. but out of ideas after that! any help will be appreciated. (looked at owasp and googled but did not find any thing like a test program to re create)




So.... you are asking for help here, because you want something much better than just a simple denial of serivce attack? Are you serious?

Henry
 
Tushar Kapila
Ranch Hand
Posts: 36
Chrome Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
its to test a specific vulnerability. the newer java's our supposed to have fixed it. just want a way to test our own UAT (old version and new) ...
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic