Twenty Year Anniversary

Signal Resource Exhaustion

Signal Resource Exhaustion
Posted Aug 30, 2018
Authored by Nick M McKenna

Signal on iOS (createGenericPreview) fails to check for unreasonably large images before manipulating received images. This allows for a large image sent to a user to exhaust all available memory when the image is displayed resulting in a forced restart of the device.

tags | advisory, denial of service
systems | ios
MD5 | 5fcb5cbb9844453047fb22759181b904

Signal Resource Exhaustion

Change Mirror Download
The image rendering component of Signal on IOS  (createGenericPreview)  fails to check for  unreasonably large images before manipulating received images. This allows for a large image sent to a user to exhaust all available memory when the image is displayed resulting in a forced restart of the device. 


When Signal receives an image and it is viewed, the image display function createGenericPreview is called which subsequently calls createHeroImageView on the image which adds shadows to the original image and downscales it. Because of this, any image sent to a client will be loaded into memory in full without checking if Signal or the device on which it is running have enough memory to hold said image. Given a sufficiently large image an attacker can cause memory exhaustion. In Signal, an attacker is able to send arbitrarily large images to a user so long as the image is below the file size limit Signal sets for images of several Mb. Generally, an image large enough to trigger memory exhaustion in this way would be too large to send however many image formats have built-in image compression for nearby pixels of the same color. In images with little variety of color this sort of compression results in a massive delta (many orders of magnitude) between the size of an image on disk and
the size of an image when loaded into memory. Thus, by sending a large single color image an attacker may remotely crash Signal and force a phone to restart.

Demo:
https://streamable.com/mxivw

References:
If you would like a premade file with which to test this check https://bomb.codes/

https://github.com/signalapp/Signal-iOS/blob/77711df27469970d938184c5f2cb9ca36aa6684b/SignalMessaging/ViewControllers/MediaMessageView.swift Line 256-313


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    15 Files
  • 11
    Dec 11th
    30 Files
  • 12
    Dec 12th
    25 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close