哪种网络应用程序实际上会受到浮动错误的影响?
有一种简单的方法可以完全锁定大量 JVM:
class runhang {
public static void main(String[] args) {
System.out.println("Test:");
double d = Double.parseDouble("2.2250738585072012e-308");
System.out.println("Value: " + d);
}
}
或者挂起编译器:
class compilehang {
public static void main(String[] args) {
double d = 2.2250738585072012e-308;
System.out.println("Value: " + d);
}
}
如下所述: http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/
我的问题很简单:哪种精心设计的网络您知道应用程序实际上会受到此影响吗?
换句话说:攻击者可以利用已知的弱点在哪种网络应用上执行拒绝服务?
很糟糕,很糟糕。但除了使用浮点进行货币计算的程序员之外,我没有看到很多 Java 支持的网站会崩溃。
我可以看到玩具科学小程序是候选者,但除此之外...
这是被阻止线程的 threadump(在 Linux 上使用“kill -3”完成):
"main" prio=1 tid=0x09ab8a10 nid=0x57e9 runnable [0xbfbde000..0xbfbde728]
at sun.misc.FDBigInt.mult(FloatingDecimal.java:2617)
at sun.misc.FloatingDecimal.multPow52(FloatingDecimal.java:158)
at sun.misc.FloatingDecimal.doubleValue(FloatingDecimal.java:1510)
at java.lang.Double.parseDouble(Double.java:482)
编辑
JVM 在此锁定:
java 版本“1.5.1”。 0_10" Java(TM) 2 运行时环境,标准版(内部版本 1.5.0_10-b03) Java HotSpot(TM) 服务器 VM(内部版本 1.5.0_10-b03,混合模式)
java 版本“1.6.0_17” Java(TM) SE 运行时环境(版本 1.6.0_17-b04) Java HotSpot(TM) 服务器 VM(内部版本 14.3-b01,混合模式)
There's an easy way to totally lock a lot of JVM:
class runhang {
public static void main(String[] args) {
System.out.println("Test:");
double d = Double.parseDouble("2.2250738585072012e-308");
System.out.println("Value: " + d);
}
}
or, to hang the compiler:
class compilehang {
public static void main(String[] args) {
double d = 2.2250738585072012e-308;
System.out.println("Value: " + d);
}
}
as explained here: http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/
My question is very simple: which kind of well-conceived web application do you know that can realistically be affected by this?
In other words: on which kind of webapps could an attacker perform a Denial of Service using that known weakness?
It is bad, it is terribly bad. But besides programmers using floating-point for monetary computation I don't see many Java-backed websites that can be crashed.
I can see toy scientific applets being candidates but besides that...
Here's a threadump of the blocked thread (done using "kill -3" on Linux):
"main" prio=1 tid=0x09ab8a10 nid=0x57e9 runnable [0xbfbde000..0xbfbde728]
at sun.misc.FDBigInt.mult(FloatingDecimal.java:2617)
at sun.misc.FloatingDecimal.multPow52(FloatingDecimal.java:158)
at sun.misc.FloatingDecimal.doubleValue(FloatingDecimal.java:1510)
at java.lang.Double.parseDouble(Double.java:482)
EDIT
JVMs locked here:
java version "1.5.0_10"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_10-b03)
Java HotSpot(TM) Server VM (build 1.5.0_10-b03, mixed mode)
java version "1.6.0_17"
Java(TM) SE Runtime Environment (build 1.6.0_17-b04)
Java HotSpot(TM) Server VM (build 14.3-b01, mixed mode)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
许多网络服务器使用 Double.parse 解析部分 http 标头,因此我们在这里处理基础设施(除了在容器中运行的应用程序的任何问题)。您链接的探索二进制博客的评论有以下示例:
如果请求所针对的 servlet 调用任何本地化 API(然后将尝试解析语言标头),则以上内容将关闭服务器。
所以是的,这是一个非常大的问题。攻击面相当大,后果也相当严重。
Many web servers parse part of the http headers using Double.parse, so we are dealing with infrastructure here (in addition to any problems with applications that run in the container). The comments of the Exploring Binary blog you link to have the following as an example:
If the servlet that the request is going against makes a call to any of the localization APIs (which would then attempt to parse the language header), the above will bring the server down.
So yes, this is a very big problem. The attack surface is quite large, and the consequences quite high.
不想说显而易见的事情,但所有允许用户提交字符串“2.2250738585072011e-308”并调用 parse double 的应用程序都可能“实际上”受到影响。
Hate to state the obvious, but all application that lets the user submits the string "2.2250738585072011e-308", and calls parse double on can "realistically" be affected.
Tomcat 的所有版本都已修补并发布以处理“接受语言”条件。
Oracle 已发布一个修补程序,可在此处找到:
http ://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html
该修补程序适用于 java 1.4、1.5 和 1.6。
All versions of Tomcat have been patched and released to handle the "Accept-Language" condition.
Oracle has released a hot fix which can be found here:
http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html
The hotfix will work for java 1.4, 1.5, and 1.6.
任何让用户输入浮点数并对其进行比较或计算的行为都应该值得怀疑。我想说付款表格、贷款计算器和投标表格是最常见的。只需在整个应用程序中添加一个小计算器实用程序即可通过重复点击来挂起 Web 服务器。
Anything where you let the user enter a floating point number and do a comparison or calculation on it should be suspect. I would say a payment form, loan calculator, and bidding form would be the most common. All it would take is one little calculator utility in your entire application to be able to hang the web server by repeated hits.
我知道这个数字只是导致应用程序崩溃的一系列数字中的一个,但我还是忍不住发表评论,请检查最后 4 位数字。 2012 年,这个数字说明了一切,古代预言的世界末日,而我们的现代应用程序都指向崩溃的阈值,除非修复:-)
I understand that this number is only one in a range of numbers that would crash applications but just couldn't resist commenting, check the last 4 digits. 2012, it speaks volumes of the number, the ancient predicted doomsday, and our modern applications are pointing to a crashing threshold unless fixed :-)