Year of the Snail

Bryan here again. First I want to thank everyone who came out for my BlackHat DC talk on application-level denial-of-service attacks last month. I got a lot of great questions and feedback from all of you. Keep it coming! And just to throw more fuel on the DoS fire, there were at least two other sessions that focused on DoS: Tom Brennan and Ryan Barnett’s “Checkmate with Denial of Service” and Laurent Oudot’s “Inglourious Hackerds: Targeting Web Clients.” While today is supposed to start the Chinese Year of the Rabbit, it’s shaping up to be more like the year of the snail…

As if to prove the point, more research surfaced this week on the “magic number” DoS vulnerability I discussed in my Black Hat presentation and in my last blog post. Konstantin Preißer discovered that Java apps, similar to PHP apps, will fall into an infinite loop and hang trying to process numeric values in the (approximate) range of 2.2250738585072011E-208 to 2.2250738585072013E-208. For the case where you’re parsing a double value in from a string, you can apply this blacklist filtering code to detect whether the string value is potentially malicious:

public static boolean containsMagicDoSNumber(String s) {
return s.replace(".", "").contains("2225073858507201");
}

Note that the range of this check is wider than the actual values that will exploit the vulnerability, so you may end up with false positive results. I’ll keep this space updated with any news of a more thorough fix from Oracle.

Update: Oracle has released a Floating Point Updater Tool to patch the issue. Please be sure to read the associated readme file for the tool before installing, as there are important caveats.