[OT] Re: Process Died | Production

[Ankur Shah <to...@optonline.net>]

Christopher Schultz wrote:

>>> I've had the displeasure of experiencing a Tomcat JVM core
>>> dump
>>> on me not too long ago (in a multi-user development environment,
>>> fortunately) on a Sparc/Solaris box. It turned out to be due to
>>> insufficient swap memory in the system. I didn't see any
>>> OutOfMemoryExceptions raised prior to the crash, so it wasn't that
>>> obvious, but the top command came to the rescue in the end.
>>
>>
>> Good one ;)  It reminds of another time, where I had internal crashes
>> occurring due to a low limit of file descriptors (ulimit -a will show
>> you the limits).  That one was frustrating ;)  I'm sure many people on
>> this list of horror stories with seemingly random crashes...
>
>
> I've experienced even more random crashes (SEGV). It turned out to be 
> bad memory (or bus), and it only showed up under pretty heavy load. :(
>
This is a little OT, but just out of curiosity, has anybody been 
successful in gaining root/tomcat/whatever-uid shell by capitalizing on 
a JVM's (not necessarily tomcat's) core dump? I've always wondered if 
that was possible. I know its extremely hard (impossible?) to 
"consistently" overflow JVM's stack, but has it ever been done? 

-- A

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: [OT] Re: Process Died | Production

[Ankur Shah <to...@optonline.net>]

Christopher Schultz wrote:

>>> I've experienced even more random crashes (SEGV). It turned out to 
>>> be bad memory (or bus), and it only showed up under pretty heavy 
>>> load. :(  
>>
>> This is a little OT, but just out of curiosity, has anybody been 
>> successful in gaining root/tomcat/whatever-uid shell by capitalizing 
>> on a JVM's (not necessarily tomcat's) core dump? I've always wondered 
>> if that was possible. I know its extremely hard (impossible?) to 
>> "consistently" overflow JVM's stack, but has it ever been done?
>
>
> I've never heard of anything like this before.
>
> However, Java's "stack" is not what gets overflowed, here. IF the JVM 
> goes down, it's the JVM code that faults, not the Java code itself. 
> Java's stack and heap are pretty far away from anything that's executing.
>
Notice I said overflowing of the JVM's stack not Java's (bytecode) 
"stack". I am well aware of the fact that you can't "smash" a Java stack 
- that's just how the language is architected.

-- A

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: [OT] Re: Process Died | Production

[Christopher Schultz <ch...@comcast.net>]

Ankur,

>> I've experienced even more random crashes (SEGV). It turned out to be 
>> bad memory (or bus), and it only showed up under pretty heavy load. :(
 >
> This is a little OT, but just out of curiosity, has anybody been 
> successful in gaining root/tomcat/whatever-uid shell by capitalizing on 
> a JVM's (not necessarily tomcat's) core dump? I've always wondered if 
> that was possible. I know its extremely hard (impossible?) to 
> "consistently" overflow JVM's stack, but has it ever been done?

I've never heard of anything like this before.

However, Java's "stack" is not what gets overflowed, here. IF the JVM 
goes down, it's the JVM code that faults, not the Java code itself. 
Java's stack and heap are pretty far away from anything that's executing.

Generally stack or buffer overflow bugs are exploited because someone 
corrupted the stack and not only inserted some maliscious code, but also 
modified the return pointer to call that code. In Java (without native 
code, at least), I don't think you could intentionally do anything like 
this. I suppose it you had an evil app connect to a JVM using something 
like JVMPI, you might be able to do something like this. However, you 
usually don't have the profiling hooks turned on in production ;)

-chris