diff options
author | Fabian Meumertzheim <fabian@meumertzhe.im> | 2021-12-13 15:32:25 +0100 |
---|---|---|
committer | Fabian Meumertzheim <fabian@meumertzhe.im> | 2021-12-13 17:40:39 +0100 |
commit | 3fed476bed7c61370e12062b5b97a939e3c5e591 (patch) | |
tree | fd0533485a865758f887926a786163549af00458 | |
parent | 2330115dddd37b921447d952a81f94290da75dc1 (diff) | |
download | jazzer-api-3fed476bed7c61370e12062b5b97a939e3c5e591.tar.gz |
Use a REPLACE hook for javax.naming.Context#lookup
This resolves the theoretical issue of accidentally executing remote
code during fuzzing.
-rw-r--r-- | sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/NamingContextLookup.kt | 22 |
1 files changed, 13 insertions, 9 deletions
diff --git a/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/NamingContextLookup.kt b/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/NamingContextLookup.kt index 7728e2d8..2d4fb9cf 100644 --- a/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/NamingContextLookup.kt +++ b/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/NamingContextLookup.kt @@ -20,6 +20,7 @@ import com.code_intelligence.jazzer.api.Jazzer import com.code_intelligence.jazzer.api.MethodHook import com.code_intelligence.jazzer.api.MethodHooks import java.lang.invoke.MethodHandle +import javax.naming.CommunicationException object NamingContextLookup { @@ -32,56 +33,56 @@ object NamingContextLookup { @MethodHooks( MethodHook( - type = HookType.BEFORE, + type = HookType.REPLACE, targetClassName = "javax.naming.Context", targetMethod = "lookup", targetMethodDescriptor = "(Ljava/lang/String;)Ljava/lang/Object;", ), MethodHook( - type = HookType.BEFORE, + type = HookType.REPLACE, targetClassName = "javax.naming.InitialContext", targetMethod = "lookup", targetMethodDescriptor = "(Ljava/lang/String;)Ljava/lang/Object;", ), MethodHook( - type = HookType.BEFORE, + type = HookType.REPLACE, targetClassName = "javax.naming.InitialDirContext", targetMethod = "lookup", targetMethodDescriptor = "(Ljava/lang/String;)Ljava/lang/Object;", ), MethodHook( - type = HookType.BEFORE, + type = HookType.REPLACE, targetClassName = "javax.naming.InitialLdapContext", targetMethod = "lookup", targetMethodDescriptor = "(Ljava/lang/String;)Ljava/lang/Object;", ), MethodHook( - type = HookType.BEFORE, + type = HookType.REPLACE, targetClassName = "javax.naming.Context", targetMethod = "lookupLink", targetMethodDescriptor = "(Ljava/lang/String;)Ljava/lang/Object;", ), MethodHook( - type = HookType.BEFORE, + type = HookType.REPLACE, targetClassName = "javax.naming.InitialContext", targetMethod = "lookupLink", targetMethodDescriptor = "(Ljava/lang/String;)Ljava/lang/Object;", ), MethodHook( - type = HookType.BEFORE, + type = HookType.REPLACE, targetClassName = "javax.naming.InitialDirContext", targetMethod = "lookupLink", targetMethodDescriptor = "(Ljava/lang/String;)Ljava/lang/Object;", ), MethodHook( - type = HookType.BEFORE, + type = HookType.REPLACE, targetClassName = "javax.naming.InitialLdapContext", targetMethod = "lookupLink", targetMethodDescriptor = "(Ljava/lang/String;)Ljava/lang/Object;", ), ) @JvmStatic - fun lookupHook(method: MethodHandle?, thisObject: Any?, args: Array<Any?>, hookId: Int) { + fun lookupHook(method: MethodHandle?, thisObject: Any?, args: Array<Any?>, hookId: Int): Any { val name = args[0] as String if (name.startsWith(RMI_MARKER) || name.startsWith(LDAP_MARKER)) { Jazzer.reportFindingFromHook( @@ -94,5 +95,8 @@ version, lead to remote code execution or the exfiltration of information.""" } Jazzer.guideTowardsEquality(name, RMI_MARKER, hookId) Jazzer.guideTowardsEquality(name, LDAP_MARKER, 31 * hookId) + // Pretend that the remote endpoint could not be reached for additional protection against + // accidental execution of remote code during fuzzing. + throw CommunicationException() } } |