Security issue in Java based server
#10
I think we need to do to things to mitigate this attack. First limit the size of uncompressed packets. This also helps mitigate against compression bombs. Then we need to add limits to the recursion depth of the NBT parser as it can cause a stack-overflow as it is a recursive descent parser. I think we've avoided a code execution vulnerability because we don't create large stack based buffers to store the data, but I still think this is a potentially very dangerous attack.
Reply
Thanks given by:


Messages In This Thread
Security issue in Java based server - by Jammet - 04-17-2015, 09:48 PM
RE: Security issue in Java based server - by xoft - 04-17-2015, 10:10 PM
RE: Security issue in Java based server - by xoft - 04-17-2015, 10:32 PM
RE: Security issue in Java based server - by xoft - 04-17-2015, 10:59 PM
RE: Security issue in Java based server - by xoft - 04-17-2015, 11:05 PM
RE: Security issue in Java based server - by xoft - 04-18-2015, 10:09 PM
RE: Security issue in Java based server - by worktycho - 04-19-2015, 12:12 AM
RE: Security issue in Java based server - by xoft - 04-19-2015, 02:33 AM



Users browsing this thread: 6 Guest(s)