# Exploit Title: Oracle Java lookupByteBI function heap buffer overflow# Google Dork:# Date: 2013-09-03# Exploit Author: GuHe# Vendor Homepage: http://www.oracle.com/# Software Link:
http://www.oracle.com/technetwork/java/javase/downloads/index.html
# Version: 7u21 and eariler# Tested on: Windows 7# CVE : CVE-2013-2470
PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/28050.zip
CVE-2013-2470 - Java_sun_awt_image_ImagingLib_lookupByteBI heap buffer
overflow
1. Affected Software
JRE 7 update 21 and earlier
JRE 6 update 45 and earlier
2. Root cause analysis
The "Java_sun_awt_image_ImagingLib_lookupByteBI" performs byte lookup
operation on two BufferedImage.
In the following code:
/* Mlib needs 16bit lookuptable and must be signed! */if(src->type == MLIB_SHORT){
unsigned short *sdataP = (unsigned short *) src->data;
unsigned short *sP;if(dst->type == MLIB_BYTE){
unsigned char *cdataP= (unsigned char *)dst->data;
unsigned char *cP;if(nbands > 1){
retStatus = 0;}else{
int x, y;for(y=0; y < src->height; y++){cP = cdataP;sP = sdataP;for(x=0; x < src->width; x++){*cP++ = table[0][*sP++];}/** 4554571: increment pointers using the scanline stride
* in pixel units (not byte units)*/
cdataP += dstImageP->raster.scanlineStride;
sdataP += srcImageP->raster.scanlineStride;}}}/* How about ddata == null? */}
It tries to map data in src raster to the dst raster. The total bytes
written to dst rater buffer is:
(src->width)*(src->height). However, it does not correctly check the size
of the dst buffer,if the size of the
dst buffer is smaller than (src->width)*(src->height), it will be
overflowed.
3. Poc
See "TestByteBI.java"for the source code.
And you can test the poc by directly open the "HelloApplet.html" in a web
browser.
4. Tested on
JRE 7 update 21 on Windows 7 Enterprise
