DoS attack in the HTTP decompression in openattackdefensetools/tulip

Valid

Reported on

Sep 13th 2022


Description

Tulip is able to decompress compressed HTTP payloads. It does not check for decompression bomb. Using brotli, an attacker can send a HTTP paquet to a team vulnbox containing a brotli payload of 8.3KB. When decompressing this payload, it expands to 10GiB on the machine running the ingestor.

This payload can be created using dd if=/dev/zero bs=1M count=10240 | brotli > payload.br.

Solution

It is possible to limit the maximum length of the decompressed stream in Golang. See https://stackoverflow.com/a/56629623.

Impact

The machine running the pcap ingestor will out of memory and the MongoDB might fill up very quickly (hard disk saturation).

We are processing your report and will contact the openattackdefensetools/tulip team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
We have contacted a member of the openattackdefensetools/tulip team and are waiting to hear back a year ago
openattackdefensetools/tulip maintainer modified the Severity from High (8.6) to Medium (6.8) a year ago
We have sent a follow up to the openattackdefensetools/tulip team. We will try again in 4 days. a year ago
We have sent a second follow up to the openattackdefensetools/tulip team. We will try again in 7 days. a year ago
openattackdefensetools/tulip maintainer gave praise a year ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
We have sent a third follow up to the openattackdefensetools/tulip team. We will try again in 14 days. a year ago
a year ago

Maintainer


@admin Anything else I need to do here? The bug's been fixed, I clicked the "thanks a researcher" button, but you're still sending me emails.

I appreciate the attention, but it'd be nice if your system actually looked at the activity here and stopped sending the same mail every 5 days no?

Pavlos
a year ago

Admin


Hey! Sorry about that we stop sending emails once the report is acknowledged via Other actions > Mark as seen or Resolved...

Is the green 'Resolved' button missing for you or was the process ambiguous? Do you want me to mark it as fixed for you?

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
openattackdefensetools/tulip maintainer validated this vulnerability a year ago
erdnaxe has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
openattackdefensetools/tulip maintainer marked this as fixed in e068645e6ab4d3a79df517cd06bf2e76f5dfeb53 with commit e06864 a year ago
The fix bounty has been dropped
http.go#L87-L99 has been validated
This vulnerability has now been published a year ago
to join this conversation