DoS attack in the HTTP decompression in openattackdefensetools/tulip
Sep 13th 2022
Tulip is able to decompress compressed HTTP payloads. It does not check for decompression bomb. Using brotli, an attacker can send a HTTP paquet to a team vulnbox containing a brotli payload of 8.3KB. When decompressing this payload, it expands to 10GiB on the machine running the ingestor.
This payload can be created using
dd if=/dev/zero bs=1M count=10240 | brotli > payload.br.
It is possible to limit the maximum length of the decompressed stream in Golang. See https://stackoverflow.com/a/56629623.
The machine running the pcap ingestor will out of memory and the MongoDB might fill up very quickly (hard disk saturation).