Re: Java DOS

["Wall, Kevin" <Kevin.Wall () qwest com>]

Jim Manico wrote...
> Rafal,
>
> It's not that tough to blacklist this vuln while you are waiting for your
> team to patch your JVM (IBM and other JVM's have not even patched yet).
> I've seen three generations of this filter already. Walk with me, Rafal and
> I'll show you. :)
>
> 1) Generation 1 WAF rule (reject one number only)
>
> This mod security rule only blocks a small portion of the DOSable range.
> The mod security team is working to improve this now (no disrespect meant
> at all!)
>
> SecRule ARGS|REQUEST_HEADERS "@contains 2.2250738585072012e-308"
> "phase:2,block,msg:'Java Floating Point DoS Attack',tag:'CVE-2010-4476'"
>
> Reference: http://mobile.twitter.com/modsecurity/status/35734652652093441

Depending how & when the exponent conversion is done, this mod_security rule
may be completely ineffective. For example, if an attacker can write this
floating point # as the equivalent

        22.250738585072012e-309

(which note, I have not tested), then the test above is invalid. I presumed that
this was why Adobe's blacklist *first* removed the decimal point. Adobe's blacklist
could be generalized a bit to cover appropriate ranges with a regular expression,
but I agree wholeheartedly with you that what you dubbed as the "Chess Defense"
(I like it) is the best approach short of getting a fix from the vendor of your
JRE.

So on a somewhat related note, does anyone have any idea as to how common it is for
application developers to call ServletRequest.getLocale() or ServletRequest.getLocales()
for Tomcat applications? Just curious. I'm sure it's a lot more common than
developers using double-precision floating point in their applications (with
the possible exception within the scientific computing community).

-kevin
---
Kevin W. Wall           Qwest Risk Mgmt / Information Security
Kevin.Wall () qwest com    Phone: 614.215.4788
"It is practically impossible to teach good programming to students
 that have had a prior exposure to BASIC: as potential programmers
 they are mentally mutilated beyond hope of regeneration"
    - Edsger Dijkstra, How do we tell truths that matter?
      http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________