Add h2o cve #2
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| FROM ubuntu:20.10 AS base | ||
|
|
||
| RUN apt-get update && \ | ||
| apt-get install -y libssl-dev zlib1g-dev | ||
|
|
||
| FROM base AS builder | ||
|
|
||
| RUN export DEBIAN_FRONTEND="noninteractive" && \ | ||
| apt-get update && \ | ||
| apt-get install -y cmake build-essential git | ||
|
|
||
| WORKDIR /h2o | ||
| RUN git clone https://github.com/h2o/h2o . && \ | ||
| git checkout 69506c9e2defa4922f62f389c76d89e9274b3cc1 && \ | ||
| git checkout HEAD^ | ||
|
|
||
| RUN mkdir build && cd build && cmake .. && make | ||
|
|
||
| FROM base | ||
|
|
||
| WORKDIR /fuzz | ||
| COPY --from=builder /h2o/build/h2o . | ||
| COPY h2o.conf . | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| # h2o memory corruption CVE example | ||
|
|
||
| This repo replicates finding [CVE-2018-0608](https://nvd.nist.gov/vuln/detail/CVE-2018-0608), a memory corruption bug that may allow a remote attacker to run arbitrary code ([CVSS Score](https://nvd.nist.gov/vuln-metrics/cvss): 9.8). | ||
|
|
||
| We reported this bug responsibly to the maintainers, with the follow-on issue tracking [here](https://github.com/h2o/h2o/issues/1775). | ||
|
|
||
| > Note: since this finds the bug in an unmodified h2o binary | ||
| > (a *network target*), it can only be found by fuzzers that support network | ||
| > fuzzing (such as Mayhem). | ||
sciencemanx marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| ## To build | ||
|
|
||
| Assuming you just want to build the docker image, run from the project | ||
| directory (`h2o-cve-2018-0608`): | ||
|
|
||
| ```bash | ||
| docker build -t forallsecure/h2o-cve-2018-0608 . | ||
| ``` | ||
|
|
||
| ## Get from Dockerhub | ||
|
|
||
| If you don't want to build locally, you can pull a pre-built image | ||
| directly from dockerhub: | ||
|
|
||
| ```bash | ||
| docker pull forallsecure/h2o-cve-2018-0608 | ||
| ``` | ||
|
|
||
|
|
||
| ## Run under Mayhem | ||
|
|
||
| From the project directory (`h2o-cve-2018-0608`) run: | ||
|
|
||
| ```bash | ||
| mayhem run mayhem/h2o | ||
| ``` | ||
|
|
||
| ## POC | ||
|
|
||
| We have included a proof of concept output under the `poc` | ||
| directory. | ||
|
|
||
| > Note: Fuzzing has some degree of non-determinism, so when you run | ||
| yourself you may not get exactly this file. This is expected; your | ||
| output should still trigger the memory corruption bug. | ||
sciencemanx marked this conversation as resolved.
Show resolved
Hide resolved
Member
There was a problem hiding this comment. Pls add how long it takes us to find. Such as: |
||
|
|
||
| This bug was originally found and [responsibly disclosed](https://github.com/h2o/h2o/issues/1775) by ForAllSecure employee [Marlies Ruck](https://blog.forallsecure.com/author/marlies-ruck). As such, this bug has since been [fixed](https://github.com/h2o/h2o/commit/69506c9e2defa4922f62f389c76d89e9274b3cc1) by project maintainers. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| # to find out the configuration commands, run: h2o --help | ||
|
|
||
| listen: 8080 | ||
| num-threads: 4 | ||
| #listen: | ||
| # port: 8081 | ||
| # ssl: | ||
| # certificate-file: examples/h2o/server.crt | ||
| # key-file: examples/h2o/server.key | ||
| # minimum-version: TLSv1.2 | ||
| # cipher-preference: server | ||
| # cipher-suite: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" | ||
| # # Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8 | ||
| # # see: https://wiki.mozilla.org/Security/Server_Side_TLS | ||
| hosts: | ||
| "127.0.0.1.xip.io:8080": | ||
| paths: | ||
| /: | ||
| file.dir: examples/doc_root | ||
| access-log: /dev/stdout | ||
| # "alternate.127.0.0.1.xip.io:8081": | ||
| # listen: | ||
| # port: 8081 | ||
| # ssl: | ||
| # certificate-file: examples/h2o/alternate.crt | ||
| # key-file: examples/h2o/alternate.key | ||
| # paths: | ||
| # /: | ||
| # file.dir: examples/doc_root.alternate | ||
| # access-log: /dev/stdout |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| version: '1.4' | ||
| project: h2o-cve-2018-0608 | ||
| target: h2o | ||
| baseimage: forallsecure/h2o-cve-2018-0608 | ||
|
Member
There was a problem hiding this comment. Please specify a duration (upper bound on what it would take to find, say on demo).
Contributor
Author
There was a problem hiding this comment. ok haven't found the bug from scratch yet (ran target shortly and verified crash repro) but will update when it is found |
||
| cmds: | ||
| - cmd: /fuzz/h2o -c /fuzz/h2o.conf | ||
| network: | ||
| is_client: false | ||
| timeout: 2.0 | ||
| url: tcp://localhost:8080 | ||
| timeout: 15 | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| GET / HTTP/1.1 | ||
| User-Agent: curl/7.35.0 | ||
| Host: localhost:8080 | ||
| Accept: */* | ||
|
|
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.