GHSA-xq3w-v528-46rv

Suggest an improvement
Source
https://github.com/advisories/GHSA-xq3w-v528-46rv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-xq3w-v528-46rv/GHSA-xq3w-v528-46rv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xq3w-v528-46rv
Aliases
Related
Published
2024-11-12T19:53:17Z
Modified
2024-11-12T20:12:16.122586Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • 7.0 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:H/SI:H/SA:L/E:P CVSS Calculator
Summary
Denial of Service attack on windows app using netty
Details

Summary

An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attemps to load a file that does not exist. If an attacker creates such a large file, the Netty application crash.

Details

When the library netty is loaded in a java windows application, the library tries to identify the system environnement in which it is executed.

At this stage, Netty tries to load both /etc/os-release and /usr/lib/os-release even though it is in a Windows environment.

<img width="364" alt="1" src="https://github.com/user-attachments/assets/9466b181-9394-45a3-b0e3-1dcf105def59">

If netty finds this files, it reads them and loads them into memory.

By default :

  • The JVM maximum memory size is set to 1 GB,
  • A non-privileged user can create a directory at C:\ and create files within it.

<img width="340" alt="2" src="https://github.com/user-attachments/assets/43b359a2-5871-4592-ae2b-ffc40ac76831">

<img width="523" alt="3" src="https://github.com/user-attachments/assets/ad5c6eed-451c-4513-92d5-ba0eee7715c1">

the source code identified : https://github.com/netty/netty/blob/4.1/common/src/main/java/io/netty/util/internal/PlatformDependent.java

Despite the implementation of the function normalizeOs() the source code not verify the OS before reading C:\etc\os-release and C:\usr\lib\os-release.

PoC

Create a file larger than 1 GB of data in C:\etc\os-release or C:\usr\lib\os-release on a Windows environnement and start your Netty application.

To observe what the application does with the file, the security analyst used "Process Monitor" from the "Windows SysInternals" suite. (https://learn.microsoft.com/en-us/sysinternals/)

cd C:\etc
fsutil file createnew os-release 3000000000

<img width="519" alt="4" src="https://github.com/user-attachments/assets/39df22a3-462b-4fd0-af9a-aa30077ec08f">

<img width="517" alt="5" src="https://github.com/user-attachments/assets/129dbd50-fc36-4da5-8eb1-582123fb528f">

The source code used is the Netty website code example : Echo ‐ the very basic client and server.

The vulnerability was tested on the 4.1.112.Final version.

The security analyst tried the same technique for C:\proc\sys\net\core\somaxconn with a lot of values to impact Netty but the only things that works is the "larger than 1 GB file" technique. https://github.com/netty/netty/blob/c0fdb8e9f8f256990e902fcfffbbe10754d0f3dd/common/src/main/java/io/netty/util/NetUtil.java#L186

Impact

By loading the "file larger than 1 GB" into the memory, the Netty library exceeds the JVM memory limit and causes a crash in the java Windows application.

This behaviour occurs 100% of the time in both Server mode and Client mode if the large file exists.

Client mode :

<img width="449" alt="6" src="https://github.com/user-attachments/assets/f8fe1ed0-1a42-4490-b9ed-dbc9af7804be">

Server mode :

<img width="464" alt="7" src="https://github.com/user-attachments/assets/b34b42bd-4fbd-4170-b93a-d29ba87b88eb">

somaxconn :

<img width="532" alt="8" src="https://github.com/user-attachments/assets/0656b3bb-32c6-4ae2-bff7-d93babba08a3">

Severity

  • Attack vector : "Local" because the attacker needs to be on the system where the Netty application is running.
  • Attack complexity : "Low" because the attacker only need to create a massive file (regardless of its contents).
  • Privileges required : "Low" because the attacker requires a user account to exploit the vulnerability.
  • User intercation : "None" because the administrator don't need to accidentally click anywhere to trigger the vulnerability. Furthermore, the exploitation works with defaults windows/AD settings.
  • Scope : "Unchanged" because only Netty is affected by the vulnerability.
  • Confidentiality : "None" because no data is exposed through exploiting the vulnerability.
  • Integrity : "None" because the explotation of the vulnerability does not allow editing, deleting or adding data elsewhere.
  • Availability : "High" because the exploitation of this vulnerability crashes the entire java application.
References

Affected packages

Maven / io.netty:netty-common

Package

Name
io.netty:netty-common
View open source insights on deps.dev
Purl
pkg:maven/io.netty/netty-common

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.115

Affected versions

4.*

4.0.0.Alpha1
4.0.0.Alpha2
4.0.0.Alpha3
4.0.0.Alpha4
4.0.0.Alpha5
4.0.0.Alpha6
4.0.0.Alpha7
4.0.0.Alpha8
4.0.0.Beta1
4.0.0.Beta2
4.0.0.Beta3
4.0.0.CR1
4.0.0.CR2
4.0.0.CR3
4.0.0.CR4
4.0.0.CR5
4.0.0.CR6
4.0.0.CR7
4.0.0.CR8
4.0.0.CR9
4.0.0.Final
4.0.1.Final
4.0.2.Final
4.0.3.Final
4.0.4.Final
4.0.5.Final
4.0.6.Final
4.0.7.Final
4.0.8.Final
4.0.9.Final
4.0.10.Final
4.0.11.Final
4.0.12.Final
4.0.13.Final
4.0.14.Beta1
4.0.14.Final
4.0.15.Final
4.0.16.Final
4.0.17.Final
4.0.18.Final
4.0.19.Final
4.0.20.Final
4.0.21.Final
4.0.22.Final
4.0.23.Final
4.0.24.Final
4.0.25.Final
4.0.26.Final
4.0.27.Final
4.0.28.Final
4.0.29.Final
4.0.30.Final
4.0.31.Final
4.0.32.Final
4.0.33.Final
4.0.34.Final
4.0.35.Final
4.0.36.Final
4.0.37.Final
4.0.38.Final
4.0.39.Final
4.0.40.Final
4.0.41.Final
4.0.42.Final
4.0.43.Final
4.0.44.Final
4.0.45.Final
4.0.46.Final
4.0.47.Final
4.0.48.Final
4.0.49.Final
4.0.50.Final
4.0.51.Final
4.0.52.Final
4.0.53.Final
4.0.54.Final
4.0.55.Final
4.0.56.Final
4.1.0.Beta1
4.1.0.Beta2
4.1.0.Beta3
4.1.0.Beta4
4.1.0.Beta5
4.1.0.Beta6
4.1.0.Beta7
4.1.0.Beta8
4.1.0.CR1
4.1.0.CR2
4.1.0.CR3
4.1.0.CR4
4.1.0.CR5
4.1.0.CR6
4.1.0.CR7
4.1.0.Final
4.1.1.Final
4.1.2.Final
4.1.3.Final
4.1.4.Final
4.1.5.Final
4.1.6.Final
4.1.7.Final
4.1.8.Final
4.1.9.Final
4.1.10.Final
4.1.11.Final
4.1.12.Final
4.1.13.Final
4.1.14.Final
4.1.15.Final
4.1.16.Final
4.1.17.Final
4.1.18.Final
4.1.19.Final
4.1.20.Final
4.1.21.Final
4.1.22.Final
4.1.23.Final
4.1.24.Final
4.1.25.Final
4.1.26.Final
4.1.27.Final
4.1.28.Final
4.1.29.Final
4.1.30.Final
4.1.31.Final
4.1.32.Final
4.1.33.Final
4.1.34.Final
4.1.35.Final
4.1.36.Final
4.1.37.Final
4.1.38.Final
4.1.39.Final
4.1.40.Final
4.1.41.Final
4.1.42.Final
4.1.43.Final
4.1.44.Final
4.1.45.Final
4.1.46.Final
4.1.47.Final
4.1.48.Final
4.1.49.Final
4.1.50.Final
4.1.51.Final
4.1.52.Final
4.1.53.Final
4.1.54.Final
4.1.55.Final
4.1.56.Final
4.1.57.Final
4.1.58.Final
4.1.59.Final
4.1.60.Final
4.1.61.Final
4.1.62.Final
4.1.63.Final
4.1.64.Final
4.1.65.Final
4.1.66.Final
4.1.67.Final
4.1.68.Final
4.1.69.Final
4.1.70.Final
4.1.71.Final
4.1.72.Final
4.1.73.Final
4.1.74.Final
4.1.75.Final
4.1.76.Final
4.1.77.Final
4.1.78.Final
4.1.79.Final
4.1.80.Final
4.1.81.Final
4.1.82.Final
4.1.83.Final
4.1.84.Final
4.1.85.Final
4.1.86.Final
4.1.87.Final
4.1.88.Final
4.1.89.Final
4.1.90.Final
4.1.91.Final
4.1.92.Final
4.1.93.Final
4.1.94.Final
4.1.95.Final
4.1.96.Final
4.1.97.Final
4.1.98.Final
4.1.99.Final
4.1.100.Final
4.1.101.Final
4.1.102.Final
4.1.103.Final
4.1.104.Final
4.1.105.Final
4.1.106.Final
4.1.107.Final
4.1.108.Final
4.1.109.Final
4.1.110.Final
4.1.111.Final
4.1.112.Final
4.1.113.Final
4.1.114.Final

Database specific

{
    "last_known_affected_version_range": "<= 4.1.114"
}