Headline
CVE-2022-39243: Merge pull request #143 from benhumphreys/harden-null-injection · brettwooldridge/NuProcess@29bc09d
NuProcess is an external process execution implementation for Java. In all the versions of NuProcess where it forks processes by using the JVM’s Java_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can use NUL characters in their strings to perform command line injection. Java’s ProcessBuilder isn’t vulnerable because of a check in ProcessBuilder.start. NuProcess is missing that check. This vulnerability can only be exploited to inject command line arguments on Linux. Version 2.0.5 contains a patch. As a workaround, users of the library can sanitize command strings to remove NUL characters prior to passing them to NuProcess for execution.
@@ -316,6 +316,32 @@ public void softCloseStdinAfterWrite()
System.err.println("Completed test softCloseStdinAfterWrite()");
}
@Test(expected = IllegalArgumentException.class)
public void nullCommandViaCommandMutationWithRun() {
NuProcessBuilder pb = new NuProcessBuilder(new NullProcessHandler(), command);
pb.command().add(“–foo\0–bar”);
pb.run();
}
@Test(expected = IllegalArgumentException.class)
public void nullCommandViaCommandMutationWithStart() {
NuProcessBuilder pb = new NuProcessBuilder(new NullProcessHandler(), command);
pb.command().add(“–foo\0–bar”);
pb.start();
}
@Test(expected = IllegalArgumentException.class)
public void nullCommandViaConstructorWithRun() {
NuProcessBuilder pb = new NuProcessBuilder(new NullProcessHandler(), command, “–foo\0–bar”);
pb.run();
}
@Test(expected = IllegalArgumentException.class)
public void nullCommandViaConstructorWithStart() {
NuProcessBuilder pb = new NuProcessBuilder(new NullProcessHandler(), command, “–foo\0–bar”);
pb.start();
}
private static byte[] getLotsOfBytes()
{
StringBuilder sb = new StringBuilder();
@@ -395,6 +421,9 @@ boolean checkAdlers()
}
}
private static class NullProcessHandler extends NuAbstractProcessHandler {
}
private static class Utf8DecodingListener extends NuAbstractCharsetHandler
{
private final CharBuffer utf8Buffer;
Related news
### Impact In all the versions of NuProcess where it forks processes by using the JVM's Java_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can use NUL characters in their strings to perform command line injection. Java's ProcessBuilder isn't vulnerable because of a check in ProcessBuilder.start. NuProcess is missing that check. This vulnerability can only be exploited to inject command line arguments on Linux. - On macOS, any argument with a NUL character is truncated at that character. This means the malicious arguments are never seen by the started process. - On Windows, the entire command line is truncated at the first NUL character. This means the malicious arguments, and any intentional arguments provided after them, are never seen by the started process. ### Patches 2.0.5 ### Workarounds Users of the library can sanitize command strings to remove NUL characters prior to passing them to NuProcess for execution. ### References None.