So my co-worker Eric Sheridan was talking about an attack scenario in one of our recent assessments where he left a note to the effect of, “we could download any file with this vulnerability if null byte injections work in Java – testing needed”. Interesting. Five minutes later I’ve got some test cases and as sure as I am a good looking Persian man, the thing works. Am I an idiot? How did I not know this? Let’s see if Google knew. If Google doesn’t know, then I won’t kill myself. Woohoo! Try plugging “java null byte injections” into Google. Absolutely nothing useful comes up.
Earlier this year, Paul Craig at security-assessment.com published his research on null byte injections in .NET. A natural step would be to go check Java next – managed language survey! Maybe somebody did and found nothing – it would have been easy to miss. Craig’s research found that 5 methods in the entire .NET framework mishandle the null byte. I’ve done some limited research and only found 2. However, I’m sure there are more. So, let’s look at some vulnerable code:
String path_to_file = request.getParameter("target") + ".xls";
File f = new File(path_to_file);
In similar PHP/C/C++ code we’d be quick to use the infamous poison null byte (whose history can be found here and here) here to view any arbitrary file on the system. But it also works in Java because the File(file_path) passes the user input to open(1) or its Windows equivalent, which is written in C. It’s unclear whether the Java VM (which is written in C/ASM) is where the content after the null byte gets truncated, or if the dirty string makes it all the way to the system call itself.
As Eric pointed out, these unmanaged code issues keep haunting us, but overall of course the situation is a lot better. Anyway, check out my test cases and if you can think of additions or find a new vulnerable API, keep everyone in the loop with a comment! Also, keep an eye on the next WebGoat version as Eric has cooked up a null byte lesson.
Bonus game: Who will win the know-it-all/complete liar award by posting that they knew this 5 years ago?