Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

java.lang.NullPointerException in net.lingala.zip4j.io.inputstream.ZipInputStream.getEncryptionHeaderSize::ZipInputStream.java:336 zip4j 2.9.0 #374

Closed
ZanderHuang opened this issue Oct 24, 2021 · 1 comment
Assignees
Labels
bug Something isn't working resolved

Comments

@ZanderHuang
Copy link

This vulnerability is of java.lang.NullPointerException, and can be triggered in latest version zip4j (2.9.0).
It is caused by not checking the pointer before dereference it and also failing to catch the runtime java exception (it should be wrapped as one kind of JSONException) and can be used for attackers to launch DoS (Denial of Service) attack for any java program that uses this library (since the user of zip4j doesn't know they need to catch this kind of exception) (CWE-476: NULL Pointer Dereference, CWE-248: Uncaught exception).
Likely, the root cause of this crash is in net.lingala.zip4j.io.inputstream.ZipInputStream.getEncryptionHeaderSize::ZipInputStream.java:336.

+ localFileHeader.getAesExtraDataRecord().getAesKeyStrength().getSaltLength();
The variable "localFileHeader" has a NULL value and it results in NullPointerException.

See more detail from the following crash stack.

Crash stack:

The crash thread's stack is as follows:

net.lingala.zip4j.io.inputstream.ZipInputStream.getEncryptionHeaderSize::ZipInputStream.java:336
net.lingala.zip4j.io.inputstream.ZipInputStream.getCompressedSize::ZipInputStream.java:326
net.lingala.zip4j.io.inputstream.ZipInputStream.initializeEntryInputStream::ZipInputStream.java:222
net.lingala.zip4j.io.inputstream.ZipInputStream.getNextEntry::ZipInputStream.java:113
net.lingala.zip4j.io.inputstream.ZipInputStream.getNextEntry::ZipInputStream.java:83
com.test.Entry.main::Entry.java:37

Steps to reproduce:

  1. Build the following java code with the corresponding zip4j library (version 2.9.0).
## Download zip4j_env_reproduce.tar.gz from https://drive.google.com/file/d/1MekCBIghKxIW4j-TLjZkm8ovvLb_grm5/view?usp=sharing
tar -xf zip4j_env_reproduce.tar.gz
cd zip4j_env_reproduce
bash build.sh
  1. Run the built program to see the crash by feeding one of the poc file contained in the pocs.tar.gz, e.g. :
    (poc file can be downloaded from https://drive.google.com/file/d/1wdvxU5bX_Fw9DtupwpDsTJU2JMKAnUuy/view?usp=sharing)
java -jar target/Entry-1.0-SNAPSHOT-jar-with-dependencies.jar pocs/crash-a49f954b47e05cc5265db441a64e5d2d55cb33b8

Any further discussion for this vulnerability including fix is welcomed!

@srikanth-lingala
Copy link
Owner

Fixed in v2.10.0 released today

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working resolved
Projects
None yet
Development

No branches or pull requests

2 participants