Operating system resource exhaustion (denial of service) when processing crafted gzip content

UNCONFIRMED
Unassigned

Status

()

UNCONFIRMED
5 years ago
3 years ago

People

(Reporter: geoff.jones, Unassigned)

Tracking

({csectype-dos, sec-low})

22 Branch
x86_64
Linux
csectype-dos, sec-low
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: DUPEME)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 778403 [details]
Cyberis Whitepaper - Evil HTTP Compression.pdf

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36

Steps to reproduce:

Compress 1TB of /dev/zero with four rounds of gzip compression (resulting file size 43k). 

Deliver compressed content to browser with 'Content-Encoding: gzip, gzip, gzip, gzip'

Testing framework available here - https://github.com/cyberisltd/GzipBloat



Actual results:

Operating system resources are exhausted, ultimately resulting in a crash of the browser.


Expected results:

Browser should display a suitable error message indicating it is not possible to decompress content. If decompression is attempted, multiple calls to the decompression routine should be made to prevent exhaustion of memory.
(Reporter)

Comment 1

5 years ago
Other vendors mentioned in the paper also aware of the issue.
Whiteboard: DUPEME
Keywords: csec-dos, sec-low
Group: core-security
You need to log in before you can comment on or make changes to this bug.