ForAllSecure · mjkoo · Mar 9, 2021 · Mar 9, 2021 · Mar 9, 2021 · Mar 9, 2021
diff --git a/.github/workflows/docker_publish.yml b/.github/workflows/docker_publish.yml
@@ -32,6 +32,7 @@ jobs:
           - cereal-cve-2020-11104-11105
           - jq-defect-2020
           - matio-cve-2019-13107
+          - metadataextractor-cve-2019-14262
           - netflix-cve-2019-10028
           - objdump-cve-2017-124xx
           - oniguruma-cve-2019-13224-13225

diff --git a/README.md b/README.md
@@ -27,6 +27,7 @@ We will be adding to this as find more bugs! Currently we have:
  * [Cereal CVE 2020-11104 & 2020-11105](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/cereal-cve-2020-11104-11105) - read more [here](https://blog.forallsecure.com/uncovering-memory-defects-in-cereal)
  * [Oniguruma Regex CVEs 2019-13224 & 2019-13225](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/oniguruma-cve-2019-13224-13225)
  * [STB Vorbis CVE-2019-132xx](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/stb-cve-2019-132xx) - read more [here](https://blog.forallsecure.com/analyzing-matio-and-stb_vorbis-libraries-with-mayhem)
+ * [metadataextractor CVE 2019-14262](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/metadataextractor-cve-2019-14262)
  * [MATIO CVE 2019-13107](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/matio-cve-2019-13107) - read more [here](https://blog.forallsecure.com/analyzing-matio-and-stb_vorbis-libraries-with-mayhem)
  * [Das U-Boot CVE 2019-13103 to 2019-13106](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/uboot-cve-2019-13103-13106) - read more [here](https://blog.forallsecure.com/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot)
  * [Netflix Dial CVE 2019-10028](https://github.com/ForAllSecure/VulnerabilitiesLab/tree/master/netflix-cve-2019-10028) - read more [here](https://blog.forallsecure.com/forallsecure-uncovers-vulnerability-in-netflix-dial-software)

diff --git a/metadataextractor-cve-2019-14262/.dockerignore b/metadataextractor-cve-2019-14262/.dockerignore
@@ -0,0 +1,2 @@
+mayhem/
+README.md
diff --git a/metadataextractor-cve-2019-14262/Dockerfile b/metadataextractor-cve-2019-14262/Dockerfile
@@ -0,0 +1,24 @@
+FROM gradle:6.7.1-jdk15 as builder
+
+RUN apt-get update && apt-get -y install \
+        patch && \
+    rm -rf /var/apt/lists/*
+
+WORKDIR /build
+COPY exception-handler.patch exception-handler.patch
+RUN git clone https://github.com/drewnoakes/metadata-extractor.git -b 2.12.0 && \
+    cd metadata-extractor && \
+    patch -p1 < ../exception-handler.patch && \
+    sed -e "s/'1.6'/'1.8'/g" -i build.gradle && \
+    gradle --no-daemon jar && \
+    mkdir ../artifacts && \
+    cp build/libs/metadata-extractor-2.1.1.jar ../artifacts && \
+    wget https://repo1.maven.org/maven2/com/adobe/xmp/xmpcore/6.1.11/xmpcore-6.1.11.jar && \
+    cp xmpcore-6.1.11.jar ../artifacts
+
+FROM openjdk:17-jdk-slim
+
+WORKDIR /app
+COPY --from=builder /build/artifacts/*.jar ./
+
+ENTRYPOINT ["java", "-cp", "/app/xmpcore-6.1.11.jar:/app/metadata-extractor-2.1.1.jar", "com.drew.imaging.ImageMetadataReader"]
diff --git a/metadataextractor-cve-2019-14262/README.md b/metadataextractor-cve-2019-14262/README.md
@@ -0,0 +1,55 @@
+# Metadata Extractor CVE-2019-14262 Example
+
+This target replicates finding [CVE-2019-14262](https://nvd.nist.gov/vuln/detail/CVE-2019-14262), a stack exhaustion bug caused by uncontrolled recursion in version 2.1.0 of the metadata-extractor library ([CVSS Score](https://nvd.nist.gov/vuln-metrics/cvss): 7.5).
+
+This vulnerability was reported to the maintainers and resolved [here](https://github.com/drewnoakes/metadata-extractor/issues/419).
+
+Note that the CVE is for the C# version of the same code, where one cannot typically recover from a stack overflow.
+This example reproduces the vulnerability in the Java version to demonstrate the Java fuzzing capabilities of Mayhem.
+
+The upstream project has a catch-all handler which was disabled to allow us to find and report Exceptions in Mayhem.
+
+## To build
+
+Assuming you just want to build the docker image, run:
+
+```bash
+docker build -t forallsecure/metadataextractor-cve-2019-14262 .
+```
+
+## Get from Dockerhub
+
+If you don't want to build locally, you can pull a pre-built image directly from Dockerhub:
+
+```bash
+docker pull forallsecure/metadataextractor-cve-2019-14262
+```
+
+## Run under Mayhem
+
+Change to the `metadataextractor-cve-2019-14262` folder and run:
+
+```bash
+mayhem run mayhem/metadataextractor
+```
+
+and watch Mayhem replicate the bug!
+This bug should be found within a minute of starting the run.
+
+## Run locally
+
+Change to the `metadataextractor-cve-2019-14262` folder and run:
+
+```bash
+docker run --rm -v `pwd`:/in forallsecure/metadataextractor-cve-2019-14262 /in/mayhem/metadataextractor/poc/crashing-input
+```
+
+## POC
+
+We have included a proof of concept output under the `poc` directory.
+
+> Note: Fuzzing has some degree of non-determinism, so when you run yourself you may not get exactly this file.
+> This is expected; your output should still trigger the bug.
+
+This bug was originally found by ForAllSecure employee [Alex Rebert](https://forallsecure.com/about-us).
+This bug has since been [fixed](https://github.com/drewnoakes/metadata-extractor/issues/419) by project maintainers.
diff --git a/metadataextractor-cve-2019-14262/exception-handler.patch b/metadataextractor-cve-2019-14262/exception-handler.patch
@@ -0,0 +1,16 @@
+diff --git a/Source/com/drew/imaging/ImageMetadataReader.java b/Source/com/drew/imaging/ImageMetadataReader.java
+index 628ec9e5..e2b97daa 100644
+--- a/Source/com/drew/imaging/ImageMetadataReader.java
++++ b/Source/com/drew/imaging/ImageMetadataReader.java
+@@ -252,9 +252,8 @@ public class ImageMetadataReader
+             Metadata metadata = null;
+             try {
+                 metadata = ImageMetadataReader.readMetadata(file);
+-            } catch (Exception e) {
+-                e.printStackTrace(System.err);
+-                System.exit(1);
++            } catch (ImageProcessingException ipe) {
++                return;
+             }
+             long took = System.nanoTime() - startTime;
+             if (!markdownFormat)
diff --git a/metadataextractor-cve-2019-14262/mayhem/metadataextractor/Mayhemfile b/metadataextractor-cve-2019-14262/mayhem/metadataextractor/Mayhemfile
@@ -0,0 +1,10 @@
+version: '1.10'
+project: metadataextractor-cve-2019-14262
+target: metadata-extractor
+baseimage: forallsecure/metadataextractor-cve-2019-14262
+duration: 600
+cmds:
+  - cmd: /app/metadata-extractor-2.1.1.jar @@
+    env:
+      MFUZZ_JAVA: "1"
+      CLASSPATH: /app/xmpcore-6.1.11.jar
diff --git a/metadataextractor-cve-2019-14262/mayhem/metadataextractor/corpus/test-1 b/metadataextractor-cve-2019-14262/mayhem/metadataextractor/corpus/test-1
diff --git a/metadataextractor-cve-2019-14262/mayhem/metadataextractor/poc/crashing-input b/metadataextractor-cve-2019-14262/mayhem/metadataextractor/poc/crashing-input