Skip to content
/ CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability Public

XZ 5.2.5 mishandles read the designed payload, leading to denial of service (resource consumption)

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
img
img
 
 
README.md
README.md
 
 
payload
payload
 
 

Repository files navigation

CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability

hi,

I found a denial of service vulnerability in XZ 5.2.5, and it both work on Windows and linux.When the xz decompress a designed file from hacker,it could cause endless output,and leading to denial of service.

Here is the step of POC:

Windows version

use xz.exe -c -d payload ,you can see endless output like this:

image

use xz.exe -c -d payload > result to save the output leading denial of service.

image

Linux version

use ./bin/unxz -c payload or ./bin/unxz -c payload you can see endless output like this:

image

use ./bin/unxz -c payload > result or ./bin/unxz -c payload > result to save the output leading denial of service.

image

payload hash

md5 : 87e02b7762ced66fc8efd2d607d31e07

sha256 : fa8920eb80bc90aea829260ec2606c8bd6de03f5aaeea4160fcbc3935ffd1888

About

XZ 5.2.5 mishandles read the designed payload, leading to denial of service (resource consumption)

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published