Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-39243: Merge pull request #143 from benhumphreys/harden-null-injection · brettwooldridge/NuProcess@29bc09d

NuProcess is an external process execution implementation for Java. In all the versions of NuProcess where it forks processes by using the JVM’s Java_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can use NUL characters in their strings to perform command line injection. Java’s ProcessBuilder isn’t vulnerable because of a check in ProcessBuilder.start. NuProcess is missing that check. This vulnerability can only be exploited to inject command line arguments on Linux. Version 2.0.5 contains a patch. As a workaround, users of the library can sanitize command strings to remove NUL characters prior to passing them to NuProcess for execution.

CVE
#vulnerability#linux#java#ssh

@@ -316,6 +316,32 @@ public void softCloseStdinAfterWrite()

System.err.println("Completed test softCloseStdinAfterWrite()");

}

@Test(expected = IllegalArgumentException.class)

public void nullCommandViaCommandMutationWithRun() {

NuProcessBuilder pb = new NuProcessBuilder(new NullProcessHandler(), command);

pb.command().add(“–foo\0–bar”);

pb.run();

}

@Test(expected = IllegalArgumentException.class)

public void nullCommandViaCommandMutationWithStart() {

NuProcessBuilder pb = new NuProcessBuilder(new NullProcessHandler(), command);

pb.command().add(“–foo\0–bar”);

pb.start();

}

@Test(expected = IllegalArgumentException.class)

public void nullCommandViaConstructorWithRun() {

NuProcessBuilder pb = new NuProcessBuilder(new NullProcessHandler(), command, “–foo\0–bar”);

pb.run();

}

@Test(expected = IllegalArgumentException.class)

public void nullCommandViaConstructorWithStart() {

NuProcessBuilder pb = new NuProcessBuilder(new NullProcessHandler(), command, “–foo\0–bar”);

pb.start();

}

private static byte[] getLotsOfBytes()

{

StringBuilder sb = new StringBuilder();

@@ -395,6 +421,9 @@ boolean checkAdlers()

}

}

private static class NullProcessHandler extends NuAbstractProcessHandler {

}

private static class Utf8DecodingListener extends NuAbstractCharsetHandler

{

private final CharBuffer utf8Buffer;

Related news

GHSA-cxgf-v2p8-7ph7: NuProcess vulnerable to command-line injection through insertion of NUL character(s)

### Impact In all the versions of NuProcess where it forks processes by using the JVM's Java_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can use NUL characters in their strings to perform command line injection. Java's ProcessBuilder isn't vulnerable because of a check in ProcessBuilder.start. NuProcess is missing that check. This vulnerability can only be exploited to inject command line arguments on Linux. - On macOS, any argument with a NUL character is truncated at that character. This means the malicious arguments are never seen by the started process. - On Windows, the entire command line is truncated at the first NUL character. This means the malicious arguments, and any intentional arguments provided after them, are never seen by the started process. ### Patches 2.0.5 ### Workarounds Users of the library can sanitize command strings to remove NUL characters prior to passing them to NuProcess for execution. ### References None.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907