From 784402e6aea0d5106e8395ae6f9f7ceb8a57cc2a Mon Sep 17 00:00:00 2001 From: Maxwell Koo Date: Tue, 9 Mar 2021 10:31:47 -0700 Subject: [PATCH 1/5] Add metadata-extractor CVE-2019-14262 target --- .../.dockerignore | 2 + metadata-extractor-cve-2019-14262/Dockerfile | 24 ++++++++ metadata-extractor-cve-2019-14262/README.md | 53 ++++++++++++++++++ .../exception-handler.patch | 16 ++++++ .../mayhem/metadata-extractor/Mayhemfile | 9 +++ .../mayhem/metadata-extractor/corpus/test-1 | Bin 0 -> 368 bytes .../metadata-extractor/poc/crashing-input | Bin 0 -> 368 bytes 7 files changed, 104 insertions(+) create mode 100644 metadata-extractor-cve-2019-14262/.dockerignore create mode 100644 metadata-extractor-cve-2019-14262/Dockerfile create mode 100644 metadata-extractor-cve-2019-14262/README.md create mode 100644 metadata-extractor-cve-2019-14262/exception-handler.patch create mode 100644 metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/Mayhemfile create mode 100644 metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/corpus/test-1 create mode 100644 metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/poc/crashing-input diff --git a/metadata-extractor-cve-2019-14262/.dockerignore b/metadata-extractor-cve-2019-14262/.dockerignore new file mode 100644 index 0000000..5e60e47 --- /dev/null +++ b/metadata-extractor-cve-2019-14262/.dockerignore @@ -0,0 +1,2 @@ +mayhem/ +README.md diff --git a/metadata-extractor-cve-2019-14262/Dockerfile b/metadata-extractor-cve-2019-14262/Dockerfile new file mode 100644 index 0000000..29a1983 --- /dev/null +++ b/metadata-extractor-cve-2019-14262/Dockerfile @@ -0,0 +1,24 @@ +FROM gradle:6.7.1-jdk15 as builder + +RUN apt-get update && apt-get -y install \ + patch && \ + rm -rf /var/apt/lists/* + +WORKDIR /build +COPY exception-handler.patch exception-handler.patch +RUN git clone https://github.com/drewnoakes/metadata-extractor.git -b 2.12.0 && \ + cd metadata-extractor && \ + patch -p1 < ../exception-handler.patch && \ + sed -e "s/'1.6'/'1.8'/g" -i build.gradle && \ + gradle --no-daemon jar && \ + mkdir ../artifacts && \ + cp build/libs/metadata-extractor-2.1.1.jar ../artifacts && \ + wget https://repo1.maven.org/maven2/com/adobe/xmp/xmpcore/6.1.11/xmpcore-6.1.11.jar && \ + cp xmpcore-6.1.11.jar ../artifacts + +FROM openjdk:17-jdk-slim + +WORKDIR /app +COPY --from=builder /build/artifacts/*.jar ./ + +ENTRYPOINT ["java", "-cp", "/app/xmpcore-6.1.11.jar:/app/metadata-extractor-2.1.1.jar", "com.drew.imaging.ImageMetadataReader"] diff --git a/metadata-extractor-cve-2019-14262/README.md b/metadata-extractor-cve-2019-14262/README.md new file mode 100644 index 0000000..78a2e97 --- /dev/null +++ b/metadata-extractor-cve-2019-14262/README.md @@ -0,0 +1,53 @@ +# Metadata Extractor CVE-2019-14262 Example + +This target replicates finding [CVE-2019-14262](https://nvd.nist.gov/vuln/detail/CVE-2019-14262), a stack exhaustion bug caused by uncontrolled recursion in version 2.1.0 of the metadata-extractor library ([CVSS Score](https://nvd.nist.gov/vuln-metrics/cvss): 7.5). + +This vulnerability was reported to the maintainers and resolved [here](https://github.com/drewnoakes/metadata-extractor/issues/419). + +Note that the CVE is for the C# version of the same code, where one cannot typically recover from a stack overflow. +This example reproduces the vulnerability in the Java version to demonstrate the Java fuzzing capabilities of Mayhem. + +## To build + +Assuming you just want to build the docker image, run: + +```bash +docker build -t forallsecure/metadata-extractor-cve-2019-14262 . +``` + +## Get from Dockerhub + +If you don't want to build locally, you can pull a pre-built image directly from Dockerhub: + +```bash +docker pull forallsecure/metadata-extractor-cve-2019-14262 +``` + +## Run under Mayhem + +Change to the `metadata-extractor-cve-2019-14262` folder and run: + +```bash +mayhem run mayhem/metadata-extractor +``` + +and watch Mayhem replicate the bug! +This bug should be found within a minute of starting the run. + +## Run locally + +Change to the `metadata-extractor-cve-2019-14262` folder and run: + +```bash +docker run --rm -v `pwd`:/in forallsecure/metadata-extractor-cve-2019-14262 /in/mayhem/metadata-extractor/poc/crashing-input +``` + +## POC + +We have included a proof of concept output under the `poc` directory. + +> Note: Fuzzing has some degree of non-determinism, so when you run yourself you may not get exactly this file. +> This is expected; your output should still trigger the bug. + +This bug was originally found by ForAllSecure employee [Alex Rebert](https://forallsecure.com/about-us). +This bug has since been [fixed](https://github.com/drewnoakes/metadata-extractor/issues/419) by project maintainers. diff --git a/metadata-extractor-cve-2019-14262/exception-handler.patch b/metadata-extractor-cve-2019-14262/exception-handler.patch new file mode 100644 index 0000000..496d1e9 --- /dev/null +++ b/metadata-extractor-cve-2019-14262/exception-handler.patch @@ -0,0 +1,16 @@ +diff --git a/Source/com/drew/imaging/ImageMetadataReader.java b/Source/com/drew/imaging/ImageMetadataReader.java +index 628ec9e5..e2b97daa 100644 +--- a/Source/com/drew/imaging/ImageMetadataReader.java ++++ b/Source/com/drew/imaging/ImageMetadataReader.java +@@ -252,9 +252,8 @@ public class ImageMetadataReader + Metadata metadata = null; + try { + metadata = ImageMetadataReader.readMetadata(file); +- } catch (Exception e) { +- e.printStackTrace(System.err); +- System.exit(1); ++ } catch (ImageProcessingException ipe) { ++ return; + } + long took = System.nanoTime() - startTime; + if (!markdownFormat) diff --git a/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/Mayhemfile b/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/Mayhemfile new file mode 100644 index 0000000..be923c9 --- /dev/null +++ b/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/Mayhemfile @@ -0,0 +1,9 @@ +version: '1.10' +project: metadata-extractor-cve-2019-14262 +target: metadata-extractor +baseimage: forallsecure/metadata-extractor-cve-2019-14262 +cmds: + - cmd: /app/metadata-extractor-2.1.1.jar @@ + env: + MFUZZ_JAVA: "1" + CLASSPATH: /app/xmpcore-6.1.11.jar diff --git a/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/corpus/test-1 b/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/corpus/test-1 new file mode 100644 index 0000000000000000000000000000000000000000..77b8bf238b0461c6ae7fbdbd5642816747f61fad GIT binary patch literal 368 zcmebD3}r}SU|^VbYwyL4yayB*7+%@yZ|UJY!Qv9vprn3YWc{miv0VxbDG8j33R}H1 z)Xjg-ZvC{Mr-OIJz8v-=K%HWY3^I(&42(b~Ud(Kd=XV4)1k3k41 z&J4zkj10@v8JJ)40+mVu)$@Y20SOMEfCCVV0ogDA|7T!agQT8?fslGpusQGkD*%lU zXJi38B@)PHW?%)f|NQqCfH{Og04VSx1*DLXk(rtK1y;lPz>Z-A>IZpB18QObkR#0q tG7$!nfJ_+%h6V-(O`r>y7#MzmWtd-hFfbU;oC)LUd(Kd=XV4)1k3k41 z&J4zkj10@v8JJ)40+mVu)$@Y20SOMEfCCVV0ogDA|7T!agQT8?fslGpusQGkD*%lU zXJi38B@)PHW?%)f|NQqCfH{Og04VSx1*DLXk(rtK1y;lPz>e_+o65kT!3Z*ifgu1$ wNJH5`E)XOEMPwKl8W Date: Tue, 9 Mar 2021 10:37:03 -0700 Subject: [PATCH 2/5] Add metadata-extractor project to actions --- .github/workflows/docker_publish.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker_publish.yml b/.github/workflows/docker_publish.yml index a67bb4c..f15514e 100644 --- a/.github/workflows/docker_publish.yml +++ b/.github/workflows/docker_publish.yml @@ -32,6 +32,7 @@ jobs: - cereal-cve-2020-11104-11105 - jq-defect-2020 - matio-cve-2019-13107 + - metadata-extractor-cve-2019-14262 - netflix-cve-2019-10028 - objdump-cve-2017-124xx - oniguruma-cve-2019-13224-13225 From aacd11df8a7043427da0304446f0445bb949a23b Mon Sep 17 00:00:00 2001 From: Maxwell Koo Date: Tue, 9 Mar 2021 10:59:31 -0700 Subject: [PATCH 3/5] Add main README link and duration --- README.md | 1 + .../mayhem/metadata-extractor/Mayhemfile | 1 + 2 files changed, 2 insertions(+) diff --git a/README.md b/README.md index bf86d8c..5b9eecc 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,7 @@ We will be adding to this as find more bugs! Currently we have: * [Cereal CVE 2020-11104 & 2020-11105](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/cereal-cve-2020-11104-11105) - read more [here](https://blog.forallsecure.com/uncovering-memory-defects-in-cereal) * [Oniguruma Regex CVEs 2019-13224 & 2019-13225](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/oniguruma-cve-2019-13224-13225) * [STB Vorbis CVE-2019-132xx](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/stb-cve-2019-132xx) - read more [here](https://blog.forallsecure.com/analyzing-matio-and-stb_vorbis-libraries-with-mayhem) + * [metadata-extractor CVE 2019-14262](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/metadata-extractor-cve-2019-14262) * [MATIO CVE 2019-13107](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/matio-cve-2019-13107) - read more [here](https://blog.forallsecure.com/analyzing-matio-and-stb_vorbis-libraries-with-mayhem) * [Das U-Boot CVE 2019-13103 to 2019-13106](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/uboot-cve-2019-13103-13106) - read more [here](https://blog.forallsecure.com/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot) * [Netflix Dial CVE 2019-10028](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/netflix-cve-2019-10028) - read more [here](https://blog.forallsecure.com/forallsecure-uncovers-vulnerability-in-netflix-dial-software) diff --git a/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/Mayhemfile b/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/Mayhemfile index be923c9..0ce728a 100644 --- a/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/Mayhemfile +++ b/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/Mayhemfile @@ -2,6 +2,7 @@ version: '1.10' project: metadata-extractor-cve-2019-14262 target: metadata-extractor baseimage: forallsecure/metadata-extractor-cve-2019-14262 +duration: 600 cmds: - cmd: /app/metadata-extractor-2.1.1.jar @@ env: From 3a609f628c2870ea4c67ea5e8042b8eef8c9b3e6 Mon Sep 17 00:00:00 2001 From: Maxwell Koo Date: Tue, 9 Mar 2021 11:19:51 -0700 Subject: [PATCH 4/5] Address review --- .github/workflows/docker_publish.yml | 2 +- README.md | 2 +- .../.dockerignore | 0 .../Dockerfile | 0 .../README.md | 12 ++++++------ .../exception-handler.patch | 0 .../mayhem/metadataextractor}/Mayhemfile | 4 ++-- .../mayhem/metadataextractor}/corpus/test-1 | Bin .../mayhem/metadataextractor}/poc/crashing-input | Bin 9 files changed, 10 insertions(+), 10 deletions(-) rename {metadata-extractor-cve-2019-14262 => metadataextractor-cve-2019-14262}/.dockerignore (100%) rename {metadata-extractor-cve-2019-14262 => metadataextractor-cve-2019-14262}/Dockerfile (100%) rename {metadata-extractor-cve-2019-14262 => metadataextractor-cve-2019-14262}/README.md (78%) rename {metadata-extractor-cve-2019-14262 => metadataextractor-cve-2019-14262}/exception-handler.patch (100%) rename {metadata-extractor-cve-2019-14262/mayhem/metadata-extractor => metadataextractor-cve-2019-14262/mayhem/metadataextractor}/Mayhemfile (64%) rename {metadata-extractor-cve-2019-14262/mayhem/metadata-extractor => metadataextractor-cve-2019-14262/mayhem/metadataextractor}/corpus/test-1 (100%) rename {metadata-extractor-cve-2019-14262/mayhem/metadata-extractor => metadataextractor-cve-2019-14262/mayhem/metadataextractor}/poc/crashing-input (100%) diff --git a/.github/workflows/docker_publish.yml b/.github/workflows/docker_publish.yml index f15514e..34257c9 100644 --- a/.github/workflows/docker_publish.yml +++ b/.github/workflows/docker_publish.yml @@ -32,7 +32,7 @@ jobs: - cereal-cve-2020-11104-11105 - jq-defect-2020 - matio-cve-2019-13107 - - metadata-extractor-cve-2019-14262 + - metadataextractor-cve-2019-14262 - netflix-cve-2019-10028 - objdump-cve-2017-124xx - oniguruma-cve-2019-13224-13225 diff --git a/README.md b/README.md index 5b9eecc..4318ece 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ We will be adding to this as find more bugs! Currently we have: * [Cereal CVE 2020-11104 & 2020-11105](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/cereal-cve-2020-11104-11105) - read more [here](https://blog.forallsecure.com/uncovering-memory-defects-in-cereal) * [Oniguruma Regex CVEs 2019-13224 & 2019-13225](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/oniguruma-cve-2019-13224-13225) * [STB Vorbis CVE-2019-132xx](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/stb-cve-2019-132xx) - read more [here](https://blog.forallsecure.com/analyzing-matio-and-stb_vorbis-libraries-with-mayhem) - * [metadata-extractor CVE 2019-14262](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/metadata-extractor-cve-2019-14262) + * [metadataextractor CVE 2019-14262](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/metadataextractor-cve-2019-14262) * [MATIO CVE 2019-13107](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/matio-cve-2019-13107) - read more [here](https://blog.forallsecure.com/analyzing-matio-and-stb_vorbis-libraries-with-mayhem) * [Das U-Boot CVE 2019-13103 to 2019-13106](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/uboot-cve-2019-13103-13106) - read more [here](https://blog.forallsecure.com/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot) * [Netflix Dial CVE 2019-10028](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/netflix-cve-2019-10028) - read more [here](https://blog.forallsecure.com/forallsecure-uncovers-vulnerability-in-netflix-dial-software) diff --git a/metadata-extractor-cve-2019-14262/.dockerignore b/metadataextractor-cve-2019-14262/.dockerignore similarity index 100% rename from metadata-extractor-cve-2019-14262/.dockerignore rename to metadataextractor-cve-2019-14262/.dockerignore diff --git a/metadata-extractor-cve-2019-14262/Dockerfile b/metadataextractor-cve-2019-14262/Dockerfile similarity index 100% rename from metadata-extractor-cve-2019-14262/Dockerfile rename to metadataextractor-cve-2019-14262/Dockerfile diff --git a/metadata-extractor-cve-2019-14262/README.md b/metadataextractor-cve-2019-14262/README.md similarity index 78% rename from metadata-extractor-cve-2019-14262/README.md rename to metadataextractor-cve-2019-14262/README.md index 78a2e97..3cf38c5 100644 --- a/metadata-extractor-cve-2019-14262/README.md +++ b/metadataextractor-cve-2019-14262/README.md @@ -12,7 +12,7 @@ This example reproduces the vulnerability in the Java version to demonstrate the Assuming you just want to build the docker image, run: ```bash -docker build -t forallsecure/metadata-extractor-cve-2019-14262 . +docker build -t forallsecure/metadataextractor-cve-2019-14262 . ``` ## Get from Dockerhub @@ -20,15 +20,15 @@ docker build -t forallsecure/metadata-extractor-cve-2019-14262 . If you don't want to build locally, you can pull a pre-built image directly from Dockerhub: ```bash -docker pull forallsecure/metadata-extractor-cve-2019-14262 +docker pull forallsecure/metadataextractor-cve-2019-14262 ``` ## Run under Mayhem -Change to the `metadata-extractor-cve-2019-14262` folder and run: +Change to the `metadataextractor-cve-2019-14262` folder and run: ```bash -mayhem run mayhem/metadata-extractor +mayhem run mayhem/metadataextractor ``` and watch Mayhem replicate the bug! @@ -36,10 +36,10 @@ This bug should be found within a minute of starting the run. ## Run locally -Change to the `metadata-extractor-cve-2019-14262` folder and run: +Change to the `metadataextractor-cve-2019-14262` folder and run: ```bash -docker run --rm -v `pwd`:/in forallsecure/metadata-extractor-cve-2019-14262 /in/mayhem/metadata-extractor/poc/crashing-input +docker run --rm -v `pwd`:/in forallsecure/metadataextractor-cve-2019-14262 /in/mayhem/metadataextractor/poc/crashing-input ``` ## POC diff --git a/metadata-extractor-cve-2019-14262/exception-handler.patch b/metadataextractor-cve-2019-14262/exception-handler.patch similarity index 100% rename from metadata-extractor-cve-2019-14262/exception-handler.patch rename to metadataextractor-cve-2019-14262/exception-handler.patch diff --git a/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/Mayhemfile b/metadataextractor-cve-2019-14262/mayhem/metadataextractor/Mayhemfile similarity index 64% rename from metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/Mayhemfile rename to metadataextractor-cve-2019-14262/mayhem/metadataextractor/Mayhemfile index 0ce728a..4e9b66f 100644 --- a/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/Mayhemfile +++ b/metadataextractor-cve-2019-14262/mayhem/metadataextractor/Mayhemfile @@ -1,7 +1,7 @@ version: '1.10' -project: metadata-extractor-cve-2019-14262 +project: metadataextractor-cve-2019-14262 target: metadata-extractor -baseimage: forallsecure/metadata-extractor-cve-2019-14262 +baseimage: forallsecure/metadataextractor-cve-2019-14262 duration: 600 cmds: - cmd: /app/metadata-extractor-2.1.1.jar @@ diff --git a/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/corpus/test-1 b/metadataextractor-cve-2019-14262/mayhem/metadataextractor/corpus/test-1 similarity index 100% rename from metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/corpus/test-1 rename to metadataextractor-cve-2019-14262/mayhem/metadataextractor/corpus/test-1 diff --git a/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/poc/crashing-input b/metadataextractor-cve-2019-14262/mayhem/metadataextractor/poc/crashing-input similarity index 100% rename from metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/poc/crashing-input rename to metadataextractor-cve-2019-14262/mayhem/metadataextractor/poc/crashing-input From dae396507b4122e72ce6a0713f11df6d37c7cfa7 Mon Sep 17 00:00:00 2001 From: Maxwell Koo Date: Tue, 9 Mar 2021 11:21:18 -0700 Subject: [PATCH 5/5] Add note about patch to README --- metadataextractor-cve-2019-14262/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/metadataextractor-cve-2019-14262/README.md b/metadataextractor-cve-2019-14262/README.md index 3cf38c5..3c84780 100644 --- a/metadataextractor-cve-2019-14262/README.md +++ b/metadataextractor-cve-2019-14262/README.md @@ -7,6 +7,8 @@ This vulnerability was reported to the maintainers and resolved [here](https://g Note that the CVE is for the C# version of the same code, where one cannot typically recover from a stack overflow. This example reproduces the vulnerability in the Java version to demonstrate the Java fuzzing capabilities of Mayhem. +The upstream project has a catch-all handler which was disabled to allow us to find and report Exceptions in Mayhem. + ## To build Assuming you just want to build the docker image, run: