Davinder Tutorials

This blog is all about Cyber Security and IT

Pixel Flood Attack leads to Application level DoS

How an Image can leads to DOS attack

Case 1

submitted a report to HackerOne.

This attack is performed by a Bug Hunter and lets read his story of getting 500$ Bug Bounty .

I just found a way to make your service timeout. I didn't know if I should put this under the Internet section of just the HackerOne section, because the exploit also crashes my Windows Image Viewer. A lot of other services should be vulnerable as well.

For the sake of responsible disclosure I haven't made an article about this yet. But if you fix this problem I would like to publish this for my ego, and because of the maximum giggles I experienced after finding this.

The exploit is really simple. I have an image of 5kb, 260x260 pixels. In the image itself I exchange the 260x260 values with 0xfafa x 0xfafa (so 64250x64250 pixels). Now from what I remember your service tries to convert the image once uploaded. By loading the 'whole image' into memory, it tries to allocate 4128062500 pixels into memory, flooding the memory and causing DoS. This also happens with Windows Photo Viewer on my computer.

As attachments I sent three foto's of your service timing out (had to be sure it was my image), and the image with the 'spoofed' pixels.

Files can be seen at https://hackerone.com/reports/390

 PATCH

As a patch I would suggest you to just set a maximum amount of pixels an image can have.

Case 2

submitted a report to CS Money.

Hello Team,
I had gone through your policy and I saw that DoS is out of scope but I am not sure about Application level DoS. The another reason to report this attack because it affects real customers who want to chat with your support team. I had tested this with two accounts

  1. From Account 1 I had tried to send 64K * 64K resolution image
  2. Simultaneously from Account 2 I had tried to send normal image (with different Internet Connection).
  3. The response was 502 for both images.

Steps To Reproduce:

  1. Go to cs.money and login with Account1, Login Account2 on different device with different Internet Connection.
  2. Now Find Support symbol.
  3. Click on attachments and upload "lottapixel.jpg" from Account1.
  4. Simultaneously upload normal image from Account2.

If you need more information please let me know.

  • [attachment / reference] From: Device 1, Account1 Image "lottapixel.jpg" is Payload Image "502.PNG" is proof of attack is successful.

From: Device 2, Account2
Image "upload timing from account2.png" and "Account2.png" is proof that real users are also affected.

Impact

Real User are not able to send images to the support team. It affects to the availability of resource. I had recorded 1.2 min downtime.

File can be found at :

https://hackerone.com/reports/970760

Images 




 

0 comments:

Post a Comment

Subscribe to: Posts (Atom)