From 784402e6aea0d5106e8395ae6f9f7ceb8a57cc2a Mon Sep 17 00:00:00 2001 From: Maxwell Koo Date: Tue, 9 Mar 2021 10:31:47 -0700 Subject: [PATCH 1/2] Add metadata-extractor CVE-2019-14262 target --- .../.dockerignore | 2 + metadata-extractor-cve-2019-14262/Dockerfile | 24 ++++++++ metadata-extractor-cve-2019-14262/README.md | 53 ++++++++++++++++++ .../exception-handler.patch | 16 ++++++ .../mayhem/metadata-extractor/Mayhemfile | 9 +++ .../mayhem/metadata-extractor/corpus/test-1 | Bin 0 -> 368 bytes .../metadata-extractor/poc/crashing-input | Bin 0 -> 368 bytes 7 files changed, 104 insertions(+) create mode 100644 metadata-extractor-cve-2019-14262/.dockerignore create mode 100644 metadata-extractor-cve-2019-14262/Dockerfile create mode 100644 metadata-extractor-cve-2019-14262/README.md create mode 100644 metadata-extractor-cve-2019-14262/exception-handler.patch create mode 100644 metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/Mayhemfile create mode 100644 metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/corpus/test-1 create mode 100644 metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/poc/crashing-input diff --git a/metadata-extractor-cve-2019-14262/.dockerignore b/metadata-extractor-cve-2019-14262/.dockerignore new file mode 100644 index 0000000..5e60e47 --- /dev/null +++ b/metadata-extractor-cve-2019-14262/.dockerignore @@ -0,0 +1,2 @@ +mayhem/ +README.md diff --git a/metadata-extractor-cve-2019-14262/Dockerfile b/metadata-extractor-cve-2019-14262/Dockerfile new file mode 100644 index 0000000..29a1983 --- /dev/null +++ b/metadata-extractor-cve-2019-14262/Dockerfile @@ -0,0 +1,24 @@ +FROM gradle:6.7.1-jdk15 as builder + +RUN apt-get update && apt-get -y install \ + patch && \ + rm -rf /var/apt/lists/* + +WORKDIR /build +COPY exception-handler.patch exception-handler.patch +RUN git clone https://github.com/drewnoakes/metadata-extractor.git -b 2.12.0 && \ + cd metadata-extractor && \ + patch -p1 < ../exception-handler.patch && \ + sed -e "s/'1.6'/'1.8'/g" -i build.gradle && \ + gradle --no-daemon jar && \ + mkdir ../artifacts && \ + cp build/libs/metadata-extractor-2.1.1.jar ../artifacts && \ + wget https://repo1.maven.org/maven2/com/adobe/xmp/xmpcore/6.1.11/xmpcore-6.1.11.jar && \ + cp xmpcore-6.1.11.jar ../artifacts + +FROM openjdk:17-jdk-slim + +WORKDIR /app +COPY --from=builder /build/artifacts/*.jar ./ + +ENTRYPOINT ["java", "-cp", "/app/xmpcore-6.1.11.jar:/app/metadata-extractor-2.1.1.jar", "com.drew.imaging.ImageMetadataReader"] diff --git a/metadata-extractor-cve-2019-14262/README.md b/metadata-extractor-cve-2019-14262/README.md new file mode 100644 index 0000000..78a2e97 --- /dev/null +++ b/metadata-extractor-cve-2019-14262/README.md @@ -0,0 +1,53 @@ +# Metadata Extractor CVE-2019-14262 Example + +This target replicates finding [CVE-2019-14262](https://nvd.nist.gov/vuln/detail/CVE-2019-14262), a stack exhaustion bug caused by uncontrolled recursion in version 2.1.0 of the metadata-extractor library ([CVSS Score](https://nvd.nist.gov/vuln-metrics/cvss): 7.5). + +This vulnerability was reported to the maintainers and resolved [here](https://github.com/drewnoakes/metadata-extractor/issues/419). + +Note that the CVE is for the C# version of the same code, where one cannot typically recover from a stack overflow. +This example reproduces the vulnerability in the Java version to demonstrate the Java fuzzing capabilities of Mayhem. + +## To build + +Assuming you just want to build the docker image, run: + +```bash +docker build -t forallsecure/metadata-extractor-cve-2019-14262 . +``` + +## Get from Dockerhub + +If you don't want to build locally, you can pull a pre-built image directly from Dockerhub: + +```bash +docker pull forallsecure/metadata-extractor-cve-2019-14262 +``` + +## Run under Mayhem + +Change to the `metadata-extractor-cve-2019-14262` folder and run: + +```bash +mayhem run mayhem/metadata-extractor +``` + +and watch Mayhem replicate the bug! +This bug should be found within a minute of starting the run. + +## Run locally + +Change to the `metadata-extractor-cve-2019-14262` folder and run: + +```bash +docker run --rm -v `pwd`:/in forallsecure/metadata-extractor-cve-2019-14262 /in/mayhem/metadata-extractor/poc/crashing-input +``` + +## POC + +We have included a proof of concept output under the `poc` directory. + +> Note: Fuzzing has some degree of non-determinism, so when you run yourself you may not get exactly this file. +> This is expected; your output should still trigger the bug. + +This bug was originally found by ForAllSecure employee [Alex Rebert](https://forallsecure.com/about-us). +This bug has since been [fixed](https://github.com/drewnoakes/metadata-extractor/issues/419) by project maintainers. diff --git a/metadata-extractor-cve-2019-14262/exception-handler.patch b/metadata-extractor-cve-2019-14262/exception-handler.patch new file mode 100644 index 0000000..496d1e9 --- /dev/null +++ b/metadata-extractor-cve-2019-14262/exception-handler.patch @@ -0,0 +1,16 @@ +diff --git a/Source/com/drew/imaging/ImageMetadataReader.java b/Source/com/drew/imaging/ImageMetadataReader.java +index 628ec9e5..e2b97daa 100644 +--- a/Source/com/drew/imaging/ImageMetadataReader.java ++++ b/Source/com/drew/imaging/ImageMetadataReader.java +@@ -252,9 +252,8 @@ public class ImageMetadataReader + Metadata metadata = null; + try { + metadata = ImageMetadataReader.readMetadata(file); +- } catch (Exception e) { +- e.printStackTrace(System.err); +- System.exit(1); ++ } catch (ImageProcessingException ipe) { ++ return; + } + long took = System.nanoTime() - startTime; + if (!markdownFormat) diff --git a/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/Mayhemfile b/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/Mayhemfile new file mode 100644 index 0000000..be923c9 --- /dev/null +++ b/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/Mayhemfile @@ -0,0 +1,9 @@ +version: '1.10' +project: metadata-extractor-cve-2019-14262 +target: metadata-extractor +baseimage: forallsecure/metadata-extractor-cve-2019-14262 +cmds: + - cmd: /app/metadata-extractor-2.1.1.jar @@ + env: + MFUZZ_JAVA: "1" + CLASSPATH: /app/xmpcore-6.1.11.jar diff --git a/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/corpus/test-1 b/metadata-extractor-cve-2019-14262/mayhem/metadata-extractor/corpus/test-1 new file mode 100644 index 0000000000000000000000000000000000000000..77b8bf238b0461c6ae7fbdbd5642816747f61fad GIT binary patch literal 368 zcmebD3}r}SU|^VbYwyL4yayB*7+%@yZ|UJY!Qv9vprn3YWc{miv0VxbDG8j33R}H1 z)Xjg-ZvC{Mr-OIJz8v-=K%HWY3^I(&42(b~Ud(Kd=XV4)1k3k41 z&J4zkj10@v8JJ)40+mVu)$@Y20SOMEfCCVV0ogDA|7T!agQT8?fslGpusQGkD*%lU zXJi38B@)PHW?%)f|NQqCfH{Og04VSx1*DLXk(rtK1y;lPz>Z-A>IZpB18QObkR#0q tG7$!nfJ_+%h6V-(O`r>y7#MzmWtd-hFfbU;oC)LUd(Kd=XV4)1k3k41 z&J4zkj10@v8JJ)40+mVu)$@Y20SOMEfCCVV0ogDA|7T!agQT8?fslGpusQGkD*%lU zXJi38B@)PHW?%)f|NQqCfH{Og04VSx1*DLXk(rtK1y;lPz>e_+o65kT!3Z*ifgu1$ wNJH5`E)XOEMPwKl8W Date: Tue, 9 Mar 2021 10:37:03 -0700 Subject: [PATCH 2/2] Add metadata-extractor project to actions --- .github/workflows/docker_publish.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker_publish.yml b/.github/workflows/docker_publish.yml index a67bb4c..f15514e 100644 --- a/.github/workflows/docker_publish.yml +++ b/.github/workflows/docker_publish.yml @@ -32,6 +32,7 @@ jobs: - cereal-cve-2020-11104-11105 - jq-defect-2020 - matio-cve-2019-13107 + - metadata-extractor-cve-2019-14262 - netflix-cve-2019-10028 - objdump-cve-2017-124xx - oniguruma-cve-2019-13224-13225