Chetan Conikee conikeec

## gist:821e99d985214abaefc75539e048d775

Imagine you have an online store that's built using the Java programming language. Your developers used a popular library called Jackson to handle customer data, like names and addresses. Jackson is usually safe, but it has a hidden danger - under certain settings, hackers can sneak in malicious code along with regular customer information. If you're not careful, that hacker code will run on your servers, letting criminals take over your whole website!

Here's the scary part - turning on this dangerous setting is as easy as adding one line of code to your Java application. It's called "enableDefaultTyping" and it tells Jackson to accept any kind of data, even if it might be dangerous. A lot of other Java applications use Jackson too, and many of them had this risky setting turned on without realizing it.
If hackers successfully exploit this flaw in your online store, they could do all sorts of nasty things - steal your customers' private information, vandalize your website, or even use your servers to attack

## Recipe for demo
# Preparatory Steps (Only needs to be done once!)
-------------------------------------------------

1. Install Java
-----------
(MAC) https://tejaksha-k.medium.com/a-step-by-step-guide-to-installing-java-on-macos-5188bfdf99d7
(WIN) https://www.java.com/download/ie_manual.jsp

2. Install Maven
-----------

## gist:236f3091a02b02a64c78e736fe612520
## Build the project
# spin up a shell prompt

git clone https://github.com/conikeec/jackspoilt.git
cd jackspoilt

# compile and package
mvn clean package

# verify if gadgets are avaliable to exploit (refer blog)

## chetan.json
{
	"public_identifier": "conikee",
	"profile_pic_url": "https://s3.us-west-000.backblazeb2.com/proxycurl/person/conikee/profile?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=0004d7f56a0400b0000000001%2F20240319%2Fus-west-000%2Fs3%2Faws4_request&X-Amz-Date=20240319T185441Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=cf3cf67132f6d8abba1f6bfba67f9bc24db6986b4e117f1993b1c588de3b1775",
	"background_cover_image_url": null,
	"first_name": "Chetan",
	"last_name": "Conikee",
	"full_name": "Chetan Conikee",
	"follower_count": 1618,
	"occupation": "Founder and CTO at Qwiet",
	"headline": "Founder and Chief Technology Officer at Qwiet.ai, Seed Investor",

## Roslyn.cs
public static Assembly Compile(string[] sources, bool isDebug, string tempDir, params AssemblyName[] referencedAssemblies)
{
    var assemblyFileName = tempDir + "gen" + Guid.NewGuid().ToString().Replace("-", "") + ".dll";
    var assemblyPath = Path.GetFullPath(assemblyFileName);

    var compilation = Compilation.Create(assemblyFileName,
                                            new CompilationOptions(OutputKind.DynamicallyLinkedLibrary))
                                    .AddSyntaxTrees(from source in sources
                                                    select SyntaxTree.ParseCompilationUnit(source))
                                    .AddReferences(from ass in referencedAssemblies

## CodeDom.cs
public static Assembly Compile(string[] sources, bool isDebug, string tempDir, params AssemblyName[] referencedAssemblies)
{
    var codeProvider = new CSharpCodeProvider(new Dictionary<string, string> {{"CompilerVersion", "v4.0"}});

    var assemblyReferences = new[]
        {
            "System.dll",
            "System.Core.dll",
            "mscorlib.dll"
        }

## CVE-2020–15957.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                conikeec
                / CVE-2020–15957.md
            
            
              Last active
              August 6, 2020 21:04
            
          
    CVE-2020–15957 Hunting using ShiftLeft Ocular (powering ShiftLeft NG-SAST)

Startup Ocular Shell

sl ocular
Ocular shell starts up and looks like this:

  
## taint_flow.scala
//enumerate all routes from attack surface script
val attackerControlledSource = cpg.method.filter(_.annotations.name("@RequestParameter").contains("userName")).parameter

// determine all security sensitive functions
val vulnerableSink = cpg.method.name("find*byUserName*").parameter

//conduct reachibility analysis from attacker controlled vectors to all security sensitive functions
if (vulnerableSink.reachableBy.attackerControlledSource.flows.exist) {
	println("Authentication Bypass Found!")
}

## AuthenticalModel.scala
import java.nio.charset.StandardCharsets._
import java.nio.file.{Files, Paths}
import io.shiftleft.passes.{CpgPass, DiffGraph}
import io.shiftleft.codepropertygraph.Cpg
import scala.collection.mutable.ListBuffer

case class Coordinates(name : String, fileName : String, linenumber : String)
implicit val coordinatesRW = upickle.default.macroRW[Coordinates]

case class Results(verifyingFunction : String,

## AttackSurface.scala
git clone https://github.com/wangsaisai/spring-boot-example.git

cd spring-boot-example

mvn clean compile package

createCpgAndSp("/Users/chetanconikee/Downloads/spring-boot-example-1.0-SNAPSHOT.jar")

case class Parameter(name : String, parameterType : String)
case class Method(name : String, routeMetaData : List[String], parameters : List[Parameter], returnType : String)

	Imagine you have an online store that's built using the Java programming language. Your developers used a popular library called Jackson to handle customer data, like names and addresses. Jackson is usually safe, but it has a hidden danger - under certain settings, hackers can sneak in malicious code along with regular customer information. If you're not careful, that hacker code will run on your servers, letting criminals take over your whole website!

	Here's the scary part - turning on this dangerous setting is as easy as adding one line of code to your Java application. It's called "enableDefaultTyping" and it tells Jackson to accept any kind of data, even if it might be dangerous. A lot of other Java applications use Jackson too, and many of them had this risky setting turned on without realizing it.
	If hackers successfully exploit this flaw in your online store, they could do all sorts of nasty things - steal your customers' private information, vandalize your website, or even use your servers to attack
	# Preparatory Steps (Only needs to be done once!)
	-------------------------------------------------

	1. Install Java
	-----------
	(MAC) https://tejaksha-k.medium.com/a-step-by-step-guide-to-installing-java-on-macos-5188bfdf99d7
	(WIN) https://www.java.com/download/ie_manual.jsp

	2. Install Maven
	-----------
	## Build the project
	# spin up a shell prompt

	git clone https://github.com/conikeec/jackspoilt.git
	cd jackspoilt

	# compile and package
	mvn clean package

	# verify if gadgets are avaliable to exploit (refer blog)
	{
	"public_identifier": "conikee",
	"profile_pic_url": "https://s3.us-west-000.backblazeb2.com/proxycurl/person/conikee/profile?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=0004d7f56a0400b0000000001%2F20240319%2Fus-west-000%2Fs3%2Faws4_request&X-Amz-Date=20240319T185441Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=cf3cf67132f6d8abba1f6bfba67f9bc24db6986b4e117f1993b1c588de3b1775",
	"background_cover_image_url": null,
	"first_name": "Chetan",
	"last_name": "Conikee",
	"full_name": "Chetan Conikee",
	"follower_count": 1618,
	"occupation": "Founder and CTO at Qwiet",
	"headline": "Founder and Chief Technology Officer at Qwiet.ai, Seed Investor",
	public static Assembly Compile(string[] sources, bool isDebug, string tempDir, params AssemblyName[] referencedAssemblies)
	{
	var assemblyFileName = tempDir + "gen" + Guid.NewGuid().ToString().Replace("-", "") + ".dll";
	var assemblyPath = Path.GetFullPath(assemblyFileName);

	var compilation = Compilation.Create(assemblyFileName,
	new CompilationOptions(OutputKind.DynamicallyLinkedLibrary))
	.AddSyntaxTrees(from source in sources
	select SyntaxTree.ParseCompilationUnit(source))
	.AddReferences(from ass in referencedAssemblies
	public static Assembly Compile(string[] sources, bool isDebug, string tempDir, params AssemblyName[] referencedAssemblies)
	{
	var codeProvider = new CSharpCodeProvider(new Dictionary<string, string> {{"CompilerVersion", "v4.0"}});

	var assemblyReferences = new[]
	{
	"System.dll",
	"System.Core.dll",
	"mscorlib.dll"
	}
	//enumerate all routes from attack surface script
	val attackerControlledSource = cpg.method.filter(_.annotations.name("@RequestParameter").contains("userName")).parameter

	// determine all security sensitive functions
	val vulnerableSink = cpg.method.name("findbyUserName").parameter

	//conduct reachibility analysis from attacker controlled vectors to all security sensitive functions
	if (vulnerableSink.reachableBy.attackerControlledSource.flows.exist) {
	println("Authentication Bypass Found!")
	}
	import java.nio.charset.StandardCharsets._
	import java.nio.file.{Files, Paths}
	import io.shiftleft.passes.{CpgPass, DiffGraph}
	import io.shiftleft.codepropertygraph.Cpg
	import scala.collection.mutable.ListBuffer

	case class Coordinates(name : String, fileName : String, linenumber : String)
	implicit val coordinatesRW = upickle.default.macroRW[Coordinates]

	case class Results(verifyingFunction : String,
	git clone https://github.com/wangsaisai/spring-boot-example.git

	cd spring-boot-example

	mvn clean compile package

	createCpgAndSp("/Users/chetanconikee/Downloads/spring-boot-example-1.0-SNAPSHOT.jar")

	case class Parameter(name : String, parameterType : String)
	case class Method(name : String, routeMetaData : List[String], parameters : List[Parameter], returnType : String)