Skip to content

"Application Denial of Service via Import Recovery Key Functionality" #359

New issue
New issue
Closed
#361
Closed
"Application Denial of Service via Import Recovery Key Functionality"#359
#361
Labels
IncludeSec 2021 auditIssues surfaced by IncludeSec's 2021 security audit
@crwood

Description

@crwood
crwood
opened on Jul 5, 2021

From IncludeSec's 2021 Q2 security audit report (pp. 13-14; "informational finding 1"):

I1: Gridsync Application Denial of Service via Import Recovery Key Functionality

Description:
The Gridsync application was found to be vulnerable to Denial of Service (DoS) attacks. When a user imports a recovery key file containing only numeric characters, or when they attempt to import a directory instead of a file using this functionality, the application crashed with an unhandled exception.

Impact:
A malicious actor could share an improperly formatted recovery key with a legitimate user to crash their application. This could interrupt various application actions such as uploading or downloading files to/from the storage grid.

Reproduction:
First Instance – DoS via Recovery Key Containing Only Numeric Characters

  1. Create a file containing only numeric characters:
    echo 123 > test
  2. Launch Gridsync (adding —debug when launching via Terminal displays exception information).
  3. Select Recovery Import Recovery Key.
  4. Browse to the test file and Open it for import.
  5. The application crashes.

The Gridsync application crashed when a user attempted to import a file which contains only numeric characters, such as 123. That value was treated as valid JSON so it did not trigger the except statement in the _parse_content() function of recover.py. The following snippet shows the stack trace after the crash:

Traceback (most recent call last):
  File "gridsync/gui/main_window.py", line 355, in import_recovery_key
  File "gridsync/gui/welcome.py", line 408, in on_restore_link_activated
  File "gridsync/recovery.py", line 224, in do_import
  File "gridsync/recovery.py", line 209, in _load_from_file
  File "gridsync/recovery.py", line 199, in _parse_content
TypeError: RecoveryKeyImporter.done[dict].emit(): argument 1 has unexpected type 'int'
Abort trap: 6

Second Instance – DoS via Importing Directory (MacOS)

  1. On a Mac open Terminal and create a directory with the .app extension:
    mkdir test.app
  2. Launch Gridsync (adding —debug when launching via Terminal displays exception information).
  3. Select Recovery Import Recovery Key.
  4. Browse to test.app, select it, and click Open.
  5. The application crashes.

The assessment team also found that the Gridsync application crashed when a user attempted to import a directory instead of a file containing a recovery key. This is possible on macOS, where certain directories appear to be files, allowing them to be selected for import. For example applications are actually directories with the .app extension, containing application code. The following snippet shows the error when attempting to import a directory:

2021-05-28 11:24:18,218 DEBUG _load_from_file Loading /Users/<REDACTED>/Desktop/test.app...
Traceback (most recent call last):
  File "gridsync/recovery.py", line 204, in _load_from_file
IsADirectoryError: [Errno 21] Is a directory: '/Users/<REDACTED>/Desktop/test.app'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "gridsync/gui/main_window.py", line 355, in import_recovery_key
  File "gridsync/gui/welcome.py", line 408, in oSecond Instance – DoS via Importing Directory (MacOS)n_restore_link_activated
  File "gridsync/recovery.py", line 224, in do_import
  File "gridsync/recovery.py", line 207, in _load_from_file
  File "gridsync/msg.py", line 17, in error
TypeError: arguments did not match any overloaded call:
  QMessageBox(parent: QWidget = None): argument 1 has unexpected type 'RecoveryKeyImporter'
  QMessageBox(QMessageBox.Icon, str, str, buttons: Union[QMessageBox.StandardButtons, QMessageBox.StandardButton] = 
QMessageBox.NoButton, parent: QWidget = None, flags: Union[Qt.WindowFlags, Qt.WindowType]
= Qt.Dialog|Qt.MSWindowsFixedSizeDialogHint): argument 1 has unexpected type 'RecoveryKeyImporter'
Abort trap: 6

Recommended Remediation:
The assessment team recommends adding more data validity checks and exception handling to prevent the application from crashing when attempting to import an invalid recovery key.

The application also attempted to load very large files, which can lead to resource exhaustion and denial of service. Refusing to load unreasonably large recovery key files would avoid this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    IncludeSec 2021 auditIssues surfaced by IncludeSec's 2021 security audit

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions