Chetan Conikee conikeec
conikeec
/ gist:add8a98ed80bc38c4c190008b0497caa
Last active
October 10, 2019 18:59
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| val source = serverCpg.method.name("wrapStream").methodReturn | |
| val sink = serverCpg.method.fullName(".*ObjectInputStream.*readObject.*").parameter | |
| val exploitiveFlow = sink.reachableBy(source).flows.p | |
| [main] INFO mainTasksSize: 1, reachedEndNode: 1, | |
| res16: List[String] = List( | |
| """ ________________________________________________________________________________________________________________________________________ | |
| | tracked | lineNumber| method | file | |
conikeec
/ gist:c940ca51f7adf5b76b2992174cc8752c
Last active
October 10, 2019 20:25
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // there is a call edge from the call site to the | |
| // methodinstance "org.apache.logging.log4j.core.net.server.LogEventBridge.logEvents:void(java.io.InputStream,org.apache.logging.log4j.core.LogEventListener)", | |
| // which is the interface method not the actual implementation of the code | |
| val implementation = serverCpg.methodInstance.fullNameExact("org.apache.logging.log4j.core.net.server.ObjectInputStreamLogEventBridge.logEvents:void(java.io.ObjectInputStream,org.apache.logging.log4j.core.LogEventListener)").head | |
| val methodInterface = "org.apache.logging.log4j.core.net.server.LogEventBridge.logEvents:void(java.io.InputStream,org.apache.logging.log4j.core.LogEventListener)" | |
| serverCpg.methodInstance.fullNameExact(methodInterface).callIn.l.foreach { c => |
conikeec
/ gist:e27ac7008f409b20aa71ece7312ad93e
Created
October 10, 2019 18:28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // create a CPG for the accompanying socket server project | |
| val serverCpg = createCpgAndSp("/Users/chetanconikee/slgithub/CVE-2017-5645/Log4jSocketServer.jar") | |
| res1: Workspace = | |
| __________________________________________________________________________________________ | |
| | name | overlays | loaded| | |
| |=========================================================================================| | |
| | Log4jSocketServer.jar | semanticcpg(l),dataflow(l),tagging(l),securityprofile(l)| true | | |
| // if you happen to be using another project that utlizes the socket server | |
| val clientCpg = createCpgAndSp("[client-project]") |
conikeec
/ billionlaughs.java
Last active
April 22, 2021 09:46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import org.w3c.dom.Document; | |
| import org.xml.sax.SAXException; | |
| import javax.xml.parsers.DocumentBuilderFactory; | |
| import javax.xml.parsers.ParserConfigurationException; | |
| import java.io.ByteArrayInputStream; | |
| import java.io.IOException; | |
| class DocumentBuilder { | |
| static Document getDocument(String content) { |
conikeec
/ gist:74e7ce530f16b1bbb13e44f4f5ea2c5e
Last active
June 17, 2019 21:51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // copy and paste this function in the ocular console | |
| def deserializationSemanticTemplate(untrustedParam :String, sink:String) { | |
| // #1 : Confirmed that we are using a vulnerable jackson-databind version (2.8.7) from prior json feed | |
| // #2 : Verify if ObjectMapper (serializer, deserializer) is initialized in local/global scope | |
| cpg.member.isStatic.l.foreach { s => printf("%s:%s\n", s.typeFullName, s.name) } | |
| // #3 : Verify if polymorphic type handling is enabled (local or global scope) |
conikeec
/ gist:d1c02842cd69a798b185882eb0db5734
Created
June 5, 2019 21:43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # import the SCA package within the scope of ocular session | |
| ocular> import $file.scripts.sca | |
| # get CVEs associated with the projects bill of materials (JSON format) | |
| ocular> sca.getCve(cpg) | |
| ..... | |
| ..... | |
| }, { | |
| "groupId" : "com.fasterxml.jackson.core", |
conikeec
/ gist:54a61c1ed6f94c79b792a83989f40760
Created
June 5, 2019 21:14
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Initiate an Ocular interaction session using the following command | |
| ./ocular.sh --import scripts/deps.sc | |
| # We will be analyzing the project - jackspoilt | |
| # Create CPG for the application (that was built in prior step) | |
| ocular> createCpgAndSp("<projectFolder>/build/libs/jackspoilt-1.0-SNAPSHOT.jar") | |
| ocular> loadCpg("jackspoilt-1.0-SNAPSHOT.jar") | |
| # Check if the CPG is successfully createed and loaded in active workspace |
conikeec
/ gist:b8f4b28573f7903e53162ba85ca231b8
Created
June 5, 2019 20:47
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # spin up a shell prompt | |
| git clone https://github.com/conikeec/jackspoilt.git | |
| cd jackspoilt | |
| # this project support maven and gradle build systems, so let's use gradle to build this artifact | |
| gradle build | |
| #after the build is completed successfully, verify if the build artifact is created | |
| ls build/libs |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AC ED -> We already discussed about the magic number | |
| 00 05 -> And protocol version | |
| 73 -> We have a new object (TC_OBJECT) | |
| 72 -> Refers to a class description (TC_CLASSDESC) | |
| 00 07 -> The length of the class name – 7 characters | |
| 4C 6F 67 46 69 6C 65 -> Class name – LogFile | |
| D7 60 3D D7 33 3E BC D1 -> Serial version UID – An identifier of the class. This value can be specified in the class, if not, it is generated automatically | |
| 02 -> Flag mentioning that the class is serializable (SC_SERIALIZABLE) – a class can also be externalizable | |
| 00 02 -> Number of variables in the class | |
| 4C -> Type code/signature – class |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AC ED -> We already discussed about the magic number | |
| 00 05 -> And protocol version | |
| 73 -> We have a new object (TC_OBJECT) | |
| 72 -> Refers to a class description (TC_CLASSDESC) | |
| 00 07 -> The length of the class name – 7 characters | |
| 4C 6F 67 46 69 6C 65 -> Class name – LogFile | |
| D7 60 3D D7 33 3E BC D1 -> Serial version UID – An identifier of the class. This value can be specified in the class, if not, it is generated automatically | |
| 02 -> Flag mentioning that the class is serializable (SC_SERIALIZABLE) – a class can also be externalizable | |
| 00 02 -> Number of variables in the class | |
| 4C -> Type code/signature – class |