diff --git a/.github/workflows/docker_publish.yml b/.github/workflows/docker_publish.yml index a67bb4c..34257c9 100644 --- a/.github/workflows/docker_publish.yml +++ b/.github/workflows/docker_publish.yml @@ -32,6 +32,7 @@ jobs: - cereal-cve-2020-11104-11105 - jq-defect-2020 - matio-cve-2019-13107 + - metadataextractor-cve-2019-14262 - netflix-cve-2019-10028 - objdump-cve-2017-124xx - oniguruma-cve-2019-13224-13225 diff --git a/README.md b/README.md index bf86d8c..4318ece 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,7 @@ We will be adding to this as find more bugs! Currently we have: * [Cereal CVE 2020-11104 & 2020-11105](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/cereal-cve-2020-11104-11105) - read more [here](https://blog.forallsecure.com/uncovering-memory-defects-in-cereal) * [Oniguruma Regex CVEs 2019-13224 & 2019-13225](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/oniguruma-cve-2019-13224-13225) * [STB Vorbis CVE-2019-132xx](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/stb-cve-2019-132xx) - read more [here](https://blog.forallsecure.com/analyzing-matio-and-stb_vorbis-libraries-with-mayhem) + * [metadataextractor CVE 2019-14262](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/metadataextractor-cve-2019-14262) * [MATIO CVE 2019-13107](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/matio-cve-2019-13107) - read more [here](https://blog.forallsecure.com/analyzing-matio-and-stb_vorbis-libraries-with-mayhem) * [Das U-Boot CVE 2019-13103 to 2019-13106](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/uboot-cve-2019-13103-13106) - read more [here](https://blog.forallsecure.com/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot) * [Netflix Dial CVE 2019-10028](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/netflix-cve-2019-10028) - read more [here](https://blog.forallsecure.com/forallsecure-uncovers-vulnerability-in-netflix-dial-software) diff --git a/metadataextractor-cve-2019-14262/.dockerignore b/metadataextractor-cve-2019-14262/.dockerignore new file mode 100644 index 0000000..5e60e47 --- /dev/null +++ b/metadataextractor-cve-2019-14262/.dockerignore @@ -0,0 +1,2 @@ +mayhem/ +README.md diff --git a/metadataextractor-cve-2019-14262/Dockerfile b/metadataextractor-cve-2019-14262/Dockerfile new file mode 100644 index 0000000..29a1983 --- /dev/null +++ b/metadataextractor-cve-2019-14262/Dockerfile @@ -0,0 +1,24 @@ +FROM gradle:6.7.1-jdk15 as builder + +RUN apt-get update && apt-get -y install \ + patch && \ + rm -rf /var/apt/lists/* + +WORKDIR /build +COPY exception-handler.patch exception-handler.patch +RUN git clone https://github.com/drewnoakes/metadata-extractor.git -b 2.12.0 && \ + cd metadata-extractor && \ + patch -p1 < ../exception-handler.patch && \ + sed -e "s/'1.6'/'1.8'/g" -i build.gradle && \ + gradle --no-daemon jar && \ + mkdir ../artifacts && \ + cp build/libs/metadata-extractor-2.1.1.jar ../artifacts && \ + wget https://repo1.maven.org/maven2/com/adobe/xmp/xmpcore/6.1.11/xmpcore-6.1.11.jar && \ + cp xmpcore-6.1.11.jar ../artifacts + +FROM openjdk:17-jdk-slim + +WORKDIR /app +COPY --from=builder /build/artifacts/*.jar ./ + +ENTRYPOINT ["java", "-cp", "/app/xmpcore-6.1.11.jar:/app/metadata-extractor-2.1.1.jar", "com.drew.imaging.ImageMetadataReader"] diff --git a/metadataextractor-cve-2019-14262/README.md b/metadataextractor-cve-2019-14262/README.md new file mode 100644 index 0000000..3c84780 --- /dev/null +++ b/metadataextractor-cve-2019-14262/README.md @@ -0,0 +1,55 @@ +# Metadata Extractor CVE-2019-14262 Example + +This target replicates finding [CVE-2019-14262](https://nvd.nist.gov/vuln/detail/CVE-2019-14262), a stack exhaustion bug caused by uncontrolled recursion in version 2.1.0 of the metadata-extractor library ([CVSS Score](https://nvd.nist.gov/vuln-metrics/cvss): 7.5). + +This vulnerability was reported to the maintainers and resolved [here](https://github.com/drewnoakes/metadata-extractor/issues/419). + +Note that the CVE is for the C# version of the same code, where one cannot typically recover from a stack overflow. +This example reproduces the vulnerability in the Java version to demonstrate the Java fuzzing capabilities of Mayhem. + +The upstream project has a catch-all handler which was disabled to allow us to find and report Exceptions in Mayhem. + +## To build + +Assuming you just want to build the docker image, run: + +```bash +docker build -t forallsecure/metadataextractor-cve-2019-14262 . +``` + +## Get from Dockerhub + +If you don't want to build locally, you can pull a pre-built image directly from Dockerhub: + +```bash +docker pull forallsecure/metadataextractor-cve-2019-14262 +``` + +## Run under Mayhem + +Change to the `metadataextractor-cve-2019-14262` folder and run: + +```bash +mayhem run mayhem/metadataextractor +``` + +and watch Mayhem replicate the bug! +This bug should be found within a minute of starting the run. + +## Run locally + +Change to the `metadataextractor-cve-2019-14262` folder and run: + +```bash +docker run --rm -v `pwd`:/in forallsecure/metadataextractor-cve-2019-14262 /in/mayhem/metadataextractor/poc/crashing-input +``` + +## POC + +We have included a proof of concept output under the `poc` directory. + +> Note: Fuzzing has some degree of non-determinism, so when you run yourself you may not get exactly this file. +> This is expected; your output should still trigger the bug. + +This bug was originally found by ForAllSecure employee [Alex Rebert](https://forallsecure.com/about-us). +This bug has since been [fixed](https://github.com/drewnoakes/metadata-extractor/issues/419) by project maintainers. diff --git a/metadataextractor-cve-2019-14262/exception-handler.patch b/metadataextractor-cve-2019-14262/exception-handler.patch new file mode 100644 index 0000000..496d1e9 --- /dev/null +++ b/metadataextractor-cve-2019-14262/exception-handler.patch @@ -0,0 +1,16 @@ +diff --git a/Source/com/drew/imaging/ImageMetadataReader.java b/Source/com/drew/imaging/ImageMetadataReader.java +index 628ec9e5..e2b97daa 100644 +--- a/Source/com/drew/imaging/ImageMetadataReader.java ++++ b/Source/com/drew/imaging/ImageMetadataReader.java +@@ -252,9 +252,8 @@ public class ImageMetadataReader + Metadata metadata = null; + try { + metadata = ImageMetadataReader.readMetadata(file); +- } catch (Exception e) { +- e.printStackTrace(System.err); +- System.exit(1); ++ } catch (ImageProcessingException ipe) { ++ return; + } + long took = System.nanoTime() - startTime; + if (!markdownFormat) diff --git a/metadataextractor-cve-2019-14262/mayhem/metadataextractor/Mayhemfile b/metadataextractor-cve-2019-14262/mayhem/metadataextractor/Mayhemfile new file mode 100644 index 0000000..4e9b66f --- /dev/null +++ b/metadataextractor-cve-2019-14262/mayhem/metadataextractor/Mayhemfile @@ -0,0 +1,10 @@ +version: '1.10' +project: metadataextractor-cve-2019-14262 +target: metadata-extractor +baseimage: forallsecure/metadataextractor-cve-2019-14262 +duration: 600 +cmds: + - cmd: /app/metadata-extractor-2.1.1.jar @@ + env: + MFUZZ_JAVA: "1" + CLASSPATH: /app/xmpcore-6.1.11.jar diff --git a/metadataextractor-cve-2019-14262/mayhem/metadataextractor/corpus/test-1 b/metadataextractor-cve-2019-14262/mayhem/metadataextractor/corpus/test-1 new file mode 100644 index 0000000..77b8bf2 Binary files /dev/null and b/metadataextractor-cve-2019-14262/mayhem/metadataextractor/corpus/test-1 differ diff --git a/metadataextractor-cve-2019-14262/mayhem/metadataextractor/poc/crashing-input b/metadataextractor-cve-2019-14262/mayhem/metadataextractor/poc/crashing-input new file mode 100644 index 0000000..b865626 Binary files /dev/null and b/metadataextractor-cve-2019-14262/mayhem/metadataextractor/poc/crashing-input differ