conikeec

val source = serverCpg.method.name("wrapStream").methodReturn
val sink = serverCpg.method.fullName(".*ObjectInputStream.*readObject.*").parameter

val exploitiveFlow = sink.reachableBy(source).flows.p
[main] INFO mainTasksSize: 1, reachedEndNode: 1,
res16: List[String] = List(
  """ ________________________________________________________________________________________________________________________________________
 | tracked             | lineNumber| method               | file                                                                         |

conikeec

// there is a call edge from the call site to the 
// methodinstance "org.apache.logging.log4j.core.net.server.LogEventBridge.logEvents:void(java.io.InputStream,org.apache.logging.log4j.core.LogEventListener)", 
// which is the interface method not the actual implementation of the code

val implementation = serverCpg.methodInstance.fullNameExact("org.apache.logging.log4j.core.net.server.ObjectInputStreamLogEventBridge.logEvents:void(java.io.ObjectInputStream,org.apache.logging.log4j.core.LogEventListener)").head

val methodInterface = "org.apache.logging.log4j.core.net.server.LogEventBridge.logEvents:void(java.io.InputStream,org.apache.logging.log4j.core.LogEventListener)"

serverCpg.methodInstance.fullNameExact(methodInterface).callIn.l.foreach { c =>

conikeec

// create a CPG for the accompanying socket server project
val serverCpg = createCpgAndSp("/Users/chetanconikee/slgithub/CVE-2017-5645/Log4jSocketServer.jar")
res1: Workspace =
 __________________________________________________________________________________________
 | name                  | overlays                                                | loaded|
 |=========================================================================================|
 | Log4jSocketServer.jar | semanticcpg(l),dataflow(l),tagging(l),securityprofile(l)| true  |

// if you happen to be using another project that utlizes the socket server
val clientCpg = createCpgAndSp("[client-project]")

conikeec

import org.w3c.dom.Document;
import org.xml.sax.SAXException;

import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import java.io.ByteArrayInputStream;
import java.io.IOException;

class DocumentBuilder {
    static Document getDocument(String content) {

conikeec

// copy and paste this function in the ocular console
def deserializationSemanticTemplate(untrustedParam :String, sink:String)  {
    
    // #1 : Confirmed that we are using a vulnerable jackson-databind version (2.8.7) from prior json feed


    // #2 : Verify if ObjectMapper (serializer, deserializer) is initialized in local/global scope
    cpg.member.isStatic.l.foreach { s => printf("%s:%s\n", s.typeFullName, s.name) }

    // #3 : Verify if polymorphic type handling is enabled (local or global scope)

conikeec

# import the SCA package within the scope of ocular session
ocular> import $file.scripts.sca

# get CVEs associated with the projects bill of materials (JSON format)
ocular> sca.getCve(cpg)

.....
.....
}, {
  "groupId" : "com.fasterxml.jackson.core",

conikeec

# Initiate an Ocular interaction session using the following command
./ocular.sh --import scripts/deps.sc

# We will be analyzing the project - jackspoilt

# Create CPG for the application (that was built in prior step)
ocular> createCpgAndSp("<projectFolder>/build/libs/jackspoilt-1.0-SNAPSHOT.jar")
ocular> loadCpg("jackspoilt-1.0-SNAPSHOT.jar")

# Check if the CPG is successfully createed and loaded in active workspace

conikeec

# spin up a shell prompt

git clone https://github.com/conikeec/jackspoilt.git
cd jackspoilt

# this project support maven and gradle build systems, so let's use gradle to build this artifact
gradle build

#after the build is completed successfully, verify if the build artifact is created 
ls build/libs

conikeec

AC ED -> We already discussed about the magic number
00 05 -> And protocol version
73 -> We have a new object (TC_OBJECT)
72 -> Refers to a class description (TC_CLASSDESC)
00 07 -> The length of the class name – 7 characters
4C 6F 67 46 69 6C 65 -> Class name – LogFile
D7 60 3D D7 33 3E BC D1 -> Serial version UID – An identifier of the class. This value can be specified in the class, if not, it is generated automatically
02 -> Flag mentioning that the class is serializable (SC_SERIALIZABLE) – a class can also be externalizable
00 02 -> Number of variables in the class
4C -> Type code/signature – class

conikeec

AC ED -> We already discussed about the magic number
00 05 -> And protocol version
73 -> We have a new object (TC_OBJECT)
72 -> Refers to a class description (TC_CLASSDESC)
00 07 -> The length of the class name – 7 characters
4C 6F 67 46 69 6C 65 -> Class name – LogFile
D7 60 3D D7 33 3E BC D1 -> Serial version UID – An identifier of the class. This value can be specified in the class, if not, it is generated automatically
02 -> Flag mentioning that the class is serializable (SC_SERIALIZABLE) – a class can also be externalizable
00 02 -> Number of variables in the class
4C -> Type code/signature – class