DoS attack in the HTTP decompression in openattackdefensetools/tulip

Valid

Reported on

Sep 13th 2022


Description

Tulip is able to decompress compressed HTTP payloads. It does not check for decompression bomb. Using brotli, an attacker can send a HTTP paquet to a team vulnbox containing a brotli payload of 8.3KB. When decompressing this payload, it expands to 10GiB on the machine running the ingestor.

This payload can be created using dd if=/dev/zero bs=1M count=10240 | brotli > payload.br.

Solution

It is possible to limit the maximum length of the decompressed stream in Golang. See https://stackoverflow.com/a/56629623.

Impact

The machine running the pcap ingestor will out of memory and the MongoDB might fill up very quickly (hard disk saturation).

We are processing your report and will contact the openattackdefensetools/tulip team within 24 hours. 3 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 3 months ago
We have contacted a member of the openattackdefensetools/tulip team and are waiting to hear back 2 months ago
openattackdefensetools/tulip maintainer modified the Severity from High (8.6) to Medium (6.8) 2 months ago
We have sent a follow up to the openattackdefensetools/tulip team. We will try again in 7 days. a month ago
We have sent a second follow up to the openattackdefensetools/tulip team. We will try again in 10 days. a month ago
openattackdefensetools/tulip maintainer gave praise a month ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
We have sent a third and final follow up to the openattackdefensetools/tulip team. This report is now considered stale. a month ago
25 days ago

@admin Anything else I need to do here? The bug's been fixed, I clicked the "thanks a researcher" button, but you're still sending me emails.

I appreciate the attention, but it'd be nice if your system actually looked at the activity here and stopped sending the same mail every 5 days no?

Pavlos
25 days ago

Admin


Hey! Sorry about that we stop sending emails once the report is acknowledged via Other actions > Mark as seen or Resolved...

Is the green 'Resolved' button missing for you or was the process ambiguous? Do you want me to mark it as fixed for you?

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
openattackdefensetools/tulip maintainer validated this vulnerability 25 days ago
erdnaxe has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
openattackdefensetools/tulip maintainer marked this as fixed in e068645e6ab4d3a79df517cd06bf2e76f5dfeb53 with commit e06864 25 days ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
http.go#L87-L99 has been validated
openattackdefensetools/tulip maintainer published this vulnerability 25 days ago
to join this conversation