Login
Quote
Security

Vulnerability of Decompression Bomb, CWE-409

The vulnerability G110 (CWE-409) in Go (Golang) indicates a potential denial-of-service (DoS) vulnerability through a 'compression bomb'. This occurs when a program unpacks a compressed file designed to consume an excessive amount of system resources, such as CPU or memory, which can lead to service disruption.

CWE-409: Decompression Bomb Vulnerability

CWE-409 refers to the inadequate manipulation of compressed data, where decompressing certain data can result in a much higher resource consumption than expected. This type of attack is known as 'compression bomb'.

Understanding Severity and Confidence

  • Trust: Media The automated system or the human auditor who identified this vulnerability has a moderate confidence that this vulnerability exists.
  • Severity: Medium If explored, the vulnerability may cause notable interruptions in service, but it does not necessarily lead to complete system compromise or significant data leakage.

Vulnerable Code Example

Here is an example in Go that shows how a decompression bomb vulnerability can occur:

package main
import (
    "compress/gzip"
    "io/ioutil"
    "log"
    "os"
)

func main() {
   file, err := os.Open("bomba.gz"
   if err != nil { log.Fatal(err) }
   defer file.Close()

   reader, err := gzip.NewReader(file)
   if err != nil { log.Fatal(err) }
   defer reader.Close()

   _, err = ioutil.ReadAll(reader)
   if err != nil { log.Fatal(err) }

   log.Println("Arquivo descompactado com sucesso")
}

In this example, the function ioutil.ReadAll(reader) Extract all decompressed content to memory. If the compressed file is a decompression bomb, it can consume a lot of memory and cause a DoS.

Mitigations

  1. Compress Data Size Establish a reasonable limit for the size of uncompressed data. This can prevent a malicious compressed file from consuming excessive resources.

  2. Monitoring Resource Consumption Implement mechanisms to monitor memory and CPU usage, and take appropriate actions if abnormal consumption is detected.

  3. Verify Files Before Decompression Check the structure and content of files before uncompressing them. This may include verifying headers or metadata to ensure that the data is in line with what is expected.

Example of Mitigation

Here is an improved version of the previous example with a limitation on the size of uncompressed data:

package main

import (
   "compress/gzip"
   "io"
   "log"
   "os"
)

func main() {
   file, err := os.Open("bomba.gz")
   if err != nil { log.Fatal(err) }
   defer file.Close()

   reader, err := gzip.NewReader(file)
   if err != nil { log.Fatal(err) }
   defer reader.Close()

   limitedReader := io.LimitReader(reader, 10*1024*1024// Limite de 10MB
   _, err = ioutil.ReadAll(limitedReader)
   if err != nil { log.Fatal(err) }

   log.Println("Arquivo descompactado com sucesso")
}

In this example, io.LimitReader It's used to limit the amount of data that can be read from the decompression reader to 10MB, mitigating the risk of a decompression bomb.

If you need more details or help on how to deal with this specific vulnerability, feel free to ask!

Get started today with Sociap

Take the next step in the evolution of your Tech Stack

Know more
whatsapp