This vulnerability is of java.lang.IllegalArgumentException, and can be triggered in latest version zip4j (2.9.0).
It is caused by passing an illegal or inappropriate argument into a method. and can be used for attackers to launch DoS (Denial of Service) attack for any java program that uses this library (since the user of zip4j doesn't know they need to catch this kind of exception) ( CWE-248: Uncaught exception).
Likely, the root cause of this crash is in net.lingala.zip4j.model.enums.AesVersion.getFromVersionNumber::AesVersion.java:42.
This exception function is indirectly being called by other functions and this exception is not documented under these functions. Users are not aware of it when the documentation is only done in the exception function alone.
|
throw new IllegalArgumentException("Unsupported Aes version"); |
See more detail from the following crash stack.
Crash stack:
The crash thread's stack is as follows:
net.lingala.zip4j.model.enums.AesVersion.getFromVersionNumber::AesVersion.java:42
net.lingala.zip4j.headers.HeaderReader.readAesExtraDataRecord::HeaderReader.java:673
net.lingala.zip4j.headers.HeaderReader.readAesExtraDataRecord::HeaderReader.java:642
net.lingala.zip4j.headers.HeaderReader.readLocalFileHeader::HeaderReader.java:576
net.lingala.zip4j.io.inputstream.ZipInputStream.getNextEntry::ZipInputStream.java:91
net.lingala.zip4j.io.inputstream.ZipInputStream.getNextEntry::ZipInputStream.java:83
com.test.Entry.main::Entry.java:37
Steps to reproduce:
- Build the following java code with the corresponding zip4j library (version 2.9.0).
## Download zip4j_env_reproduce.tar.gz from https://drive.google.com/file/d/1MekCBIghKxIW4j-TLjZkm8ovvLb_grm5/view?usp=sharing
tar -xf zip4j_env_reproduce.tar.gz
cd zip4j_env_reproduce
bash build.sh
- Run the built program to see the crash by feeding one of the poc file contained in the pocs.tar.gz, e.g. :
(poc file can be downloaded from https://drive.google.com/file/d/1zmf8t4ymGTDkR4TMlnmagAMEYr7aI_a4/view?usp=sharing)
java -jar target/Entry-1.0-SNAPSHOT-jar-with-dependencies.jar pocs/crash-5a7ba1bb7c04660bc7e2e748ea3f0d2358e71ff1
Any further discussion for this vulnerability including fix is welcomed!
This vulnerability is of java.lang.IllegalArgumentException, and can be triggered in latest version zip4j (2.9.0).
It is caused by passing an illegal or inappropriate argument into a method. and can be used for attackers to launch DoS (Denial of Service) attack for any java program that uses this library (since the user of zip4j doesn't know they need to catch this kind of exception) ( CWE-248: Uncaught exception).
Likely, the root cause of this crash is in
net.lingala.zip4j.model.enums.AesVersion.getFromVersionNumber::AesVersion.java:42.This exception function is indirectly being called by other functions and this exception is not documented under these functions. Users are not aware of it when the documentation is only done in the exception function alone.
zip4j/src/main/java/net/lingala/zip4j/model/enums/AesVersion.java
Line 42 in ce1cff6
See more detail from the following crash stack.
Crash stack:
The crash thread's stack is as follows:
Steps to reproduce:
(poc file can be downloaded from https://drive.google.com/file/d/1zmf8t4ymGTDkR4TMlnmagAMEYr7aI_a4/view?usp=sharing)
Any further discussion for this vulnerability including fix is welcomed!