what you don't know can hurt you

Rencode Denial Of Service

Rencode Denial Of Service
Posted Sep 8, 2021
Authored by Antoine Martin

The Rencode python module for object serialization suffers from a 3-byte denial of service vulnerability.

tags | exploit, denial of service, python
MD5 | 68fe69c1f12b00f7861dfcf881e40d0c

Rencode Denial Of Service

Change Mirror Download
1) About Rencode
Rencode is a "Python module for fast (basic) object serialization
similar to bencode".
https://github.com/aresch/rencode
This library is used as a faster and more efficient data encoder than
bencode.
There are implementations in other languages: Golang, Javascript, Java,
Ruby, dart, etc
Some of these ports carry the same bug, the Go port does.
(as an aside - not all of these derived works have preserved the
original copyright and license)

2) Vulnerability
https://github.com/aresch/rencode/pull/29
Given malformed input, the rencode parser enters an infinite loop.
The shortest rencoded string to trigger this bug is ';\x2f\x7f' but
there is an infinite number of possibilities.
Although the library is accelerated in Cython, it cannot release the
global interpreter lock so the Python interpreter process is irreparably
locked up once the loop is entered.
The software becomes unresponsive and consumes CPU until the process
runs out of memory and is terminated - which can take a *very* long time.

3) Affected software
There are at least two active open-source network facing projects using
the vulnerable python rencode library in their transport layer: xpra and
deluge.
Xpra is a remote desktop access tool - aka "screen for X11" and Deluge
is a bittorrent client.
There are other programs out there using this library but they are less
prominent or not network facing, though there may well be more
vulnerable software written in other languages.

4) Example DoS against xpra
Xpra uses rencode for structured messages between its processes,
typically between clients and servers.
Given an xpra process listening on a TCP port, sending this tiny (11
bytes) malformed packet triggers the DoS:
'P\x01\x00\x00\x00\x00\x00\x03;/\x7f'
This does not require any authentication.
Some packaged installations create a system wide proxy server which runs
as root and listens on the IANA assigned TCP port 14500.
Other socket types don't make it any harder to trigger (ie: websockets,
SSL), only requiring extra packet encapsulation.
Local users may also have access to other user's unix domain sockets.

5) Mitigation
The easiest way is to remove the Cython accelerated version of rencode:
rm `python3 -c "from rencode import _rencode;print(_rencode.__file__)"`
As the pure Python fallback implementation does not have this bug.

6) Disclosure timeline
2021-08-05 bug discovered, fix provided
2021-08-06 requested a CVE from mitre
2021-08-10 fix applied in rencode
2021-09-07 disclosure



Login or Register to add favorites

File Archive:

October 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    16 Files
  • 2
    Oct 2nd
    1 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    24 Files
  • 5
    Oct 5th
    24 Files
  • 6
    Oct 6th
    11 Files
  • 7
    Oct 7th
    14 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    1 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    7 Files
  • 12
    Oct 12th
    15 Files
  • 13
    Oct 13th
    26 Files
  • 14
    Oct 14th
    10 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    2 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    15 Files
  • 20
    Oct 20th
    20 Files
  • 21
    Oct 21st
    12 Files
  • 22
    Oct 22nd
    14 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close