diff --git a/.github/workflows/docker_publish.yml b/.github/workflows/docker_publish.yml index a67bb4c..f15514e 100644 --- a/.github/workflows/docker_publish.yml +++ b/.github/workflows/docker_publish.yml @@ -32,6 +32,7 @@ jobs: - cereal-cve-2020-11104-11105 - jq-defect-2020 - matio-cve-2019-13107 + - metadata-extractor-cve-2019-14262 - netflix-cve-2019-10028 - objdump-cve-2017-124xx - oniguruma-cve-2019-13224-13225 diff --git a/metadata-extractor-cve-2019-14262/.dockerignore b/metadata-extractor-cve-2019-14262/.dockerignore new file mode 100644 index 0000000..5e60e47 --- /dev/null +++ b/metadata-extractor-cve-2019-14262/.dockerignore @@ -0,0 +1,2 @@ +mayhem/ +README.md diff --git a/metadata-extractor-cve-2019-14262/Dockerfile b/metadata-extractor-cve-2019-14262/Dockerfile new file mode 100644 index 0000000..29a1983 --- /dev/null +++ b/metadata-extractor-cve-2019-14262/Dockerfile @@ -0,0 +1,24 @@ +FROM gradle:6.7.1-jdk15 as builder + +RUN apt-get update && apt-get -y install \ + patch && \ + rm -rf /var/apt/lists/* + +WORKDIR /build +COPY exception-handler.patch exception-handler.patch +RUN git clone https://github.com/drewnoakes/metadata-extractor.git -b 2.12.0 && \ + cd metadata-extractor && \ + patch -p1 < ../exception-handler.patch && \ + sed -e "s/'1.6'/'1.8'/g" -i build.gradle && \ + gradle --no-daemon jar && \ + mkdir ../artifacts && \ + cp build/libs/metadata-extractor-2.1.1.jar ../artifacts && \ + wget https://repo1.maven.org/maven2/com/adobe/xmp/xmpcore/6.1.11/xmpcore-6.1.11.jar && \ + cp xmpcore-6.1.11.jar ../artifacts + +FROM openjdk:17-jdk-slim + +WORKDIR /app +COPY --from=builder /build/artifacts/*.jar ./ + +ENTRYPOINT ["java", "-cp", "/app/xmpcore-6.1.11.jar:/app/metadata-extractor-2.1.1.jar", "com.drew.imaging.ImageMetadataReader"] diff --git a/metadata-extractor-cve-2019-14262/README.md b/metadata-extractor-cve-2019-14262/README.md new file mode 100644 index 0000000..78a2e97 --- /dev/null +++ b/metadata-extractor-cve-2019-14262/README.md @@ -0,0 +1,53 @@ +# Metadata Extractor CVE-2019-14262 Example + +This target replicates finding [CVE-2019-14262](https://nvd.nist.gov/vuln/detail/CVE-2019-14262), a stack exhaustion bug caused by uncontrolled recursion in version 2.1.0 of the metadata-extractor library ([CVSS Score](https://nvd.nist.gov/vuln-metrics/cvss): 7.5). + +This vulnerability was reported to the maintainers and resolved [here](https://github.com/drewnoakes/metadata-extractor/issues/419). + +Note that the CVE is for the C# version of the same code, where one cannot typically recover from a stack overflow. +This example reproduces the vulnerability in the Java version to demonstrate the Java fuzzing capabilities of Mayhem. + +## To build + +Assuming you just want to build the docker image, run: + +```bash +docker build -t forallsecure/metadata-extractor-cve-2019-14262 . +``` + +## Get from Dockerhub + +If you don't want to build locally, you can pull a pre-built image directly from Dockerhub: + +```bash +docker pull forallsecure/metadata-extractor-cve-2019-14262 +``` + +## Run under Mayhem + +Change to the `metadata-extractor-cve-2019-14262` folder and run: + +```bash +mayhem run mayhem/metadata-extractor +``` + +and watch Mayhem replicate the bug! +This bug should be found within a minute of starting the run. + +## Run locally + +Change to the `metadata-extractor-cve-2019-14262` folder and run: + +```bash +docker run --rm -v `pwd`:/in forallsecure/metadata-extractor-cve-2019-14262 /in/mayhem/metadata-extractor/poc/crashing-input +``` + +## POC + +We have included a proof of concept output under the `poc` directory. + +> Note: Fuzzing has some degree of non-determinism, so when you run yourself you may not get exactly this file. +> This is expected; your output should still trigger the bug. + +This bug was originally found by ForAllSecure employee [Alex Rebert](https://forallsecure.com/about-us). +This bug has since been [fixed](https://github.com/drewnoakes/metadata-extractor/issues/419) by project maintainers. diff --git a/metadata-extractor-cve-2019-14262/exception-handler.patch b/metadata-extractor-cve-2019-14262/exception-handler.patch new file mode 100644 index 0000000..496d1e9 --- /dev/null +++ b/metadata-extractor-cve-2019-14262/exception-handler.patch @@ -0,0 +1,16 @@ +diff --git a/Source/com/drew/imaging/ImageMetadataReader.java b/Source/com/drew/imaging/ImageMetadataReader.java +index 628ec9e5..e2b97daa 100644 +--- a/Source/com/drew/imaging/ImageMetadataReader.java ++++ b/Source/com/drew/imaging/ImageMetadataReader.java +@@ -252,9 +252,8 @@ public class ImageMetadataReader + Metadata metadata = null; + try { + metadata = ImageMetadataReader.readMetadata(file); +- } catch (Exception e) { +- e.printStackTrace(System.err); +- System.exit(1); ++ } catch (ImageProcessingException ipe) { ++ return; + } + long took = System.nanoTime() - startTime; + if (!markdownFormat) diff --git a/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/Mayhemfile b/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/Mayhemfile new file mode 100644 index 0000000..be923c9 --- /dev/null +++ b/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/Mayhemfile @@ -0,0 +1,9 @@ +version: '1.10' +project: metadata-extractor-cve-2019-14262 +target: metadata-extractor +baseimage: forallsecure/metadata-extractor-cve-2019-14262 +cmds: + - cmd: /app/metadata-extractor-2.1.1.jar @@ + env: + MFUZZ_JAVA: "1" + CLASSPATH: /app/xmpcore-6.1.11.jar diff --git a/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/corpus/test-1 b/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/corpus/test-1 new file mode 100644 index 0000000..77b8bf2 Binary files /dev/null and b/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/corpus/test-1 differ diff --git a/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/poc/crashing-input b/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/poc/crashing-input new file mode 100644 index 0000000..b865626 Binary files /dev/null and b/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/poc/crashing-input differ