ForAllSecure · sciencemanx · Jun 1, 2020 · Jun 2, 2020 · Jun 2, 2020 · Jun 3, 2020
diff --git a/.github/workflows/docker_publish.yml b/.github/workflows/docker_publish.yml
@@ -1,4 +1,4 @@
-name: Published on Dockerhub
+name: Publish on Dockerhub
 
 on:
   push:
@@ -7,10 +7,8 @@ on:
     branches: [ master ]
 
 jobs:
-
   openssl-cve-2014-0160:
     runs-on: ubuntu-latest
-
     steps:
     - uses: actions/checkout@v2
     - name: Build the Docker image
@@ -35,3 +33,16 @@ jobs:
 
     - name: Push the docker image
       run: ./.github/push.sh forallsecure/cereal-cve-2020-11104-11105 "${{ github.ref }}"
+
+  h2o-cve-2018-0608:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Build the Docker image
+      run: ./mayhemit.sh --build h2o-cve-2018-0608
+
+    - name: Log into the registry
+      run: echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
+
+    - name: Push the docker image
+      run: ./.github/push.sh forallsecure/h2o-cve-2018-0608 "${{ github.ref }}"
diff --git a/h2o-cve-2018-0608/Dockerfile b/h2o-cve-2018-0608/Dockerfile
@@ -0,0 +1,23 @@
+FROM ubuntu:20.10 AS base
+
+RUN apt-get update && \
+    apt-get install -y libssl-dev zlib1g-dev
+
+FROM base AS builder
+
+RUN export DEBIAN_FRONTEND="noninteractive" && \
+    apt-get update && \
+    apt-get install -y cmake build-essential git
+
+WORKDIR /h2o
+RUN git clone https://github.com/h2o/h2o . && \
+    git checkout 69506c9e2defa4922f62f389c76d89e9274b3cc1 && \
+    git checkout HEAD^
+
+RUN mkdir build && cd build && cmake .. && make
+
+FROM base
+
+WORKDIR /fuzz
+COPY --from=builder /h2o/build/h2o .
+COPY h2o.conf .
diff --git a/h2o-cve-2018-0608/README.md b/h2o-cve-2018-0608/README.md
@@ -0,0 +1,47 @@
+# h2o memory corruption CVE example
+
+This repo replicates finding [CVE-2018-0608](https://nvd.nist.gov/vuln/detail/CVE-2018-0608), a memory corruption bug that may allow a remote attacker to run arbitrary code ([CVSS Score](https://nvd.nist.gov/vuln-metrics/cvss): 9.8).
+
+We reported this bug responsibly to the maintainers, with the follow-on issue tracking [here](https://github.com/h2o/h2o/issues/1775).
+
+> Note: since this finds the bug in an unmodified h2o binary
+> (a *network target*), it can only be found by fuzzers that support network
+> fuzzing (such as Mayhem).
+
+## To build
+
+Assuming you just want to build the docker image, run from the project
+directory (`h2o-cve-2018-0608`):
+
+```bash
+docker build -t forallsecure/h2o-cve-2018-0608 .
+```
+
+## Get from Dockerhub
+
+If you don't want to build locally, you can pull a pre-built image
+directly from dockerhub:
+
+```bash
+docker pull forallsecure/h2o-cve-2018-0608
+```
+
+
+## Run under Mayhem
+
+From the project directory (`h2o-cve-2018-0608`) run:
+
+```bash
+mayhem run mayhem/h2o
+```
+
+## POC
+
+We have included a proof of concept output under the `poc`
+directory.
+
+> Note: Fuzzing has some degree of non-determinism, so when you run
+yourself you may not get exactly this file.  This is expected; your
+output should still trigger the memory corruption bug.
+
+This bug was originally found and [responsibly disclosed](https://github.com/h2o/h2o/issues/1775) by ForAllSecure employee [Marlies Ruck](https://blog.forallsecure.com/author/marlies-ruck). As such, this bug has since been [fixed](https://github.com/h2o/h2o/commit/69506c9e2defa4922f62f389c76d89e9274b3cc1) by project maintainers.
diff --git a/h2o-cve-2018-0608/h2o.conf b/h2o-cve-2018-0608/h2o.conf
@@ -0,0 +1,30 @@
+# to find out the configuration commands, run: h2o --help
+
+listen: 8080
+num-threads: 4
+#listen:
+#  port: 8081
+#  ssl:
+#    certificate-file: examples/h2o/server.crt
+#    key-file: examples/h2o/server.key
+#    minimum-version: TLSv1.2
+#    cipher-preference: server
+#    cipher-suite: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
+#    # Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8
+#    # see: https://wiki.mozilla.org/Security/Server_Side_TLS
+hosts:
+  "127.0.0.1.xip.io:8080":
+    paths:
+      /:
+        file.dir: examples/doc_root
+    access-log: /dev/stdout
+#  "alternate.127.0.0.1.xip.io:8081":
+#    listen:
+#      port: 8081
+#      ssl:
+#        certificate-file: examples/h2o/alternate.crt
+#        key-file: examples/h2o/alternate.key
+#    paths:
+#      /:
+#        file.dir: examples/doc_root.alternate
+#    access-log: /dev/stdout
diff --git a/h2o-cve-2018-0608/mayhem/h2o/Mayhemfile b/h2o-cve-2018-0608/mayhem/h2o/Mayhemfile
@@ -0,0 +1,11 @@
+version: '1.4'
+project: h2o-cve-2018-0608
+target: h2o
+baseimage: forallsecure/h2o-cve-2018-0608
+cmds:
+- cmd: /fuzz/h2o -c /fuzz/h2o.conf
+  network:
+    is_client: false
+    timeout: 2.0
+    url: tcp://localhost:8080
+  timeout: 15
diff --git a/...8-0608/mayhem/h2o/corpus/39086fd5db5386ffd2407b39cec230c9aa477faa3fd6090bdf3ace71a399ff5b b/...8-0608/mayhem/h2o/corpus/39086fd5db5386ffd2407b39cec230c9aa477faa3fd6090bdf3ace71a399ff5b
@@ -0,0 +1,5 @@
+GET / HTTP/1.1
+User-Agent: curl/7.35.0
+Host: localhost:8080
+Accept: */*
+
diff --git a/h2o-cve-2018-0608/mayhem/h2o/poc/crashing-input b/h2o-cve-2018-0608/mayhem/h2o/poc/crashing-input