java.lang.NullPointerException in net.lingala.zip4j.io.inputstream.AesCipherInputStream.getSalt::AesCipherInputStream.java:161 zip4j 2.9.0

[ZanderHuang]

This vulnerability is of java.lang.NullPointerException, and can be triggered in latest version zip4j (2.9.0).
It is caused by not checking the pointer before dereference it and also failing to catch the runtime java exception (it should be wrapped as one kind of JSONException) and can be used for attackers to launch DoS (Denial of Service) attack for any java program that uses this library (since the user of zip4j doesn't know they need to catch this kind of exception) (CWE-476: NULL Pointer Dereference, CWE-248: Uncaught exception).
Likely, the root cause of this crash is in net.lingala.zip4j.io.inputstream.AesCipherInputStream.getSalt::AesCipherInputStream.java:161.

zip4j/src/main/java/net/lingala/zip4j/io/inputstream/AesCipherInputStream.java

Line 161 in ce1cff6

byte[] saltBytes = new byte[aesExtraDataRecord.getAesKeyStrength().getSaltLength()];

The variable "aesExtraDataRecord" has a NULL value and it results in NullPointerException.

See more detail from the following crash stack.

Crash stack:

The crash thread's stack is as follows:

net.lingala.zip4j.io.inputstream.AesCipherInputStream.getSalt::AesCipherInputStream.java:161
net.lingala.zip4j.io.inputstream.AesCipherInputStream.initializeDecrypter::AesCipherInputStream.java:37
net.lingala.zip4j.io.inputstream.AesCipherInputStream.initializeDecrypter::AesCipherInputStream.java:18
net.lingala.zip4j.io.inputstream.CipherInputStream.<init>::CipherInputStream.java:25
net.lingala.zip4j.io.inputstream.AesCipherInputStream.<init>::AesCipherInputStream.java:32
net.lingala.zip4j.io.inputstream.ZipInputStream.initializeCipherInputStream::ZipInputStream.java:234
net.lingala.zip4j.io.inputstream.ZipInputStream.initializeEntryInputStream::ZipInputStream.java:223
net.lingala.zip4j.io.inputstream.ZipInputStream.getNextEntry::ZipInputStream.java:113
net.lingala.zip4j.io.inputstream.ZipInputStream.getNextEntry::ZipInputStream.java:83
com.test.Entry.main::Entry.java:37

Steps to reproduce:

1. Build the following java code with the corresponding zip4j library (version 2.9.0).

## Download zip4j_env_reproduce.tar.gz from https://drive.google.com/file/d/1MekCBIghKxIW4j-TLjZkm8ovvLb_grm5/view?usp=sharing
tar -xf zip4j_env_reproduce.tar.gz
cd zip4j_env_reproduce
bash build.sh

2. Run the built program to see the crash by feeding one of the poc file contained in the pocs.tar.gz, e.g. :
   (poc file can be downloaded from https://drive.google.com/file/d/1OM47k2Q9nGgj32UU-npTN2FrUePo7ehF/view?usp=sharing)

java -jar target/Entry-1.0-SNAPSHOT-jar-with-dependencies.jar pocs/crash-d6e84c761cc0e655ae615ce3473793935ee337bf

Any further discussion for this vulnerability including fix is welcomed!

[srikanth-lingala]

The variable "aesExtraDataRecord" has a NULL value and it results in NullPointerException.

How can aesExtraDataRecord be null here? There is a null check a couple of lines ahead.

I think in this case, the aesExtraDataRecord.getAesKeyStrength() was null.

[srikanth-lingala]

Fixed in v2.10.0 released today