• Post Reply Bookmark Topic Watch Topic
  • New Topic

ssl vulnerability - with java 1.6.14 - how to recreate?  RSS feed

 
Tushar Kapila
Ranch Hand
Posts: 35
Chrome Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Using java 1.6.14 with jboss 4.3 ( i think server does not matter ) -

read about that the ssl vulnerability :

http://stackoverflow.com/questions/1623676/suns-java-ssl-implementation-is-leaking-memory

http://nuxx.net/blog/2012/02/20/ms12-006-and-http-408-errors/

http://support.microsoft.com/kb/2638806

http://technet.microsoft.com/en-us/security/bulletin/ms12-006



http://stackoverflow.com/questions/1623676/suns-java-ssl-implementation-is-leaking-memory

http://www-01.ibm.com/support/docview.wss?uid=swg1PK16095
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#descPhase2

what i want : a java or php script - that directly calls it self or a new java process (the new process will start a class based on your code too)
to make connections to the server that ask it to make a new SSL session, this increasing the RAM used by the JVM and crashing it eventually


Do not want a simple DOS attack. Each hit of this kind should increase the memory used by the JVM by a MB
So if the server has a max of 1GB, in about 800 or so hits it should max out. thanks

i tried making a simple ssl connection using :
1. URL
2. Socket
3. apache http client

but no go - ran it all night from 2 desktops hitting the server every second and memory is fine.

changing program to call a process - maybe if its a new jvm a new session is made. but out of ideas after that! any help will be appreciated. (looked at owasp and googled but did not find any thing like a test program to re create)
 
Tushar Kapila
Ranch Hand
Posts: 35
Chrome Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
https://wiki.mozilla.org/Security:Renegotiation has some background information

i guess the code to re negotiate is there in firefox - i need help for someone to identify a utility that can do that on demand!
 
Henry Wong
author
Sheriff
Posts: 23295
125
C++ Chrome Eclipse IDE Firefox Browser Java jQuery Linux VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tushar Kapila wrote:Using java 1.6.14 with jboss 4.3 ( i think server does not matter ) -

read about that the ssl vulnerability :

http://stackoverflow.com/questions/1623676/suns-java-ssl-implementation-is-leaking-memory

http://nuxx.net/blog/2012/02/20/ms12-006-and-http-408-errors/

http://support.microsoft.com/kb/2638806

http://technet.microsoft.com/en-us/security/bulletin/ms12-006



http://stackoverflow.com/questions/1623676/suns-java-ssl-implementation-is-leaking-memory

http://www-01.ibm.com/support/docview.wss?uid=swg1PK16095
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#descPhase2

what i want : a java or php script - that directly calls it self or a new java process (the new process will start a class based on your code too)
to make connections to the server that ask it to make a new SSL session, this increasing the RAM used by the JVM and crashing it eventually


Do not want a simple DOS attack. Each hit of this kind should increase the memory used by the JVM by a MB
So if the server has a max of 1GB, in about 800 or so hits it should max out. thanks


i tried making a simple ssl connection using :
1. URL
2. Socket
3. apache http client

but no go - ran it all night from 2 desktops hitting the server every second and memory is fine.

changing program to call a process - maybe if its a new jvm a new session is made. but out of ideas after that! any help will be appreciated. (looked at owasp and googled but did not find any thing like a test program to re create)



So.... you are asking for help here, because you want something much better than just a simple denial of serivce attack? Are you serious?

Henry
 
Tushar Kapila
Ranch Hand
Posts: 35
Chrome Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
its to test a specific vulnerability. the newer java's our supposed to have fixed it. just want a way to test our own UAT (old version and new) ...
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!