Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trifecta is vulnerable to Brotli ("zip") bombs if Brotli support is enabled #48

Open
wandernauta opened this issue Jan 23, 2024 · 0 comments

Comments

@wandernauta
Copy link

wandernauta commented Jan 23, 2024

Trifecta allows zlib (gzip) and Brotli (br) compression/decompression of requests and responses when, at build time, it is detected that the libraries to do this are present on the system.

However, in this case, this feature makes Trifecta vulnerable to a "zip bomb" attack, where a crafted highly compressed file is uploaded, and the app is tricked into trying to uncompress it in memory.

Taking the file from here and bunzipping it, we have a 1.3MB Brotli file that uncompresses to 100GB of data. When we send this file, the app will attempt to allocate the entire 100GB worth of memory. My machine is not that large, so this triggers the OOM killer, which then (luckily) kills the Trifecta process.

To demonstrate:

% ~ › curl -H 'Content-Encoding: br' --data-binary @100GB.html.br http://127.0.0.1:8080/trifecta/status
<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.25.3</center>
</body>
</html>
% ~/Code/trifecta › ./buildDir/trifecta
Database is in trifecta.sqlite, canonical URL is http://127.0.0.1:3456/
Admin users: admin 
Will listen on http://127.0.0.1:3456
zsh: killed     ./buildDir/trifecta
[ 2961.933094] Out of memory: Killed process 6865 (trifecta) total-vm:6445152kB, anon-rss:2927824kB, file-rss:1920kB, shmem-rss:0kB, UID:1000 pgtables:5848kB oom_score_adj:0

As a mitigation, trifecta should ensure that the following macros are never defined when httplib.h is included:

  • CPPHTTPLIB_ZLIB_SUPPORT
  • CPPHTTPLIB_BROTLI_SUPPORT

In the example above, the request goes through nginx, but the behavior is the same regardless of whether Trifecta is fronted by nginx or not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant