Skip to content

ESCALATED: Decompression Bomb

HackerOne report #687730 by u3mur4 on 2019-09-04, assigned to jmatos_bgtvf:

Summary

A decompression bomb is a file designed to crash or render useless the program or system reading it, i.e. a denial of service.

An attacker can create a carefully crafted tar.gz file and upload it using the Import an exported GitLab project functionality. When the file is unpacked its contents are exploded and it fills the drive.

Steps to reproduce

  • Download the 100gb.tar.gz file (100MB)
  • Sign in to a GitLab instance
  • Create (Import) a New Project using the Import an exported GitLab project
  • Set the GitLab project export file form field to the previously download 100gb.tar.gz file
  • Click to Import Project and wait until it's finished
  • Repeat this process until the disk is full
  • When the disk is full multiple functionality becomes unavailable (See Video and Impact)

Video version:
bomb.mp4

How to create the decompression bomb file

You can create the compressed file yourself using couples of bash commands

fallocate -l 100G 100gb.zeros  
tar cvf - 100gb.zeros | gzip -9 - > 100gb.tar.gz

I created a short go program main.go to create the compressed file without any intermediate file. The program also sets the modification time inside the tar file to a future date because of the following bug/behavior:

The ImportExportProjectCleanupWorker runs every hour and deletes the uncompressed files where the modification time is older than 1 day. Because we set the modification time to a future date inside the tar archive the uncompressed data will be never deleted.

stat -c '%y' big_file  
2020-09-03 21:44:51.000000000 +0200

Impact

  • Random 500 errors
  • Unable to create/import new projects
  • Unable to create issues
  • Unable to push git changes
  • Unable to upload any file: file avatar, project avatar
  • Unable to access the whole site
  • etc...

What is the current bug behavior?

  • no size check before decompression
  • tar sets the modification time of the file

What is the expected correct behavior?

  • Limit the maximum file size (gzip -l 100gb.tar.gz to get the uncompressed size)
  • Use the -m, --touch flag to don't extract file modified time

GitLab version info

omnibus-gitlab package: GitLab Community Edition 12.2.4
gitlab-development-kit: GitLab Community Edition 12.3.0-pre gitlab-ce@f4e40c532b5582f47a0dd9bf7054112fc9ec6085
gitlab.com: not tested because of dos

Impact

  • Random 500 errors
  • Unable to create/import new projects
  • Unable to create issues
  • Unable to push git changes
  • Unable to upload any file: file avatar, project avatar
  • Unable to access the whole site
  • etc...

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Edited by GitLab SecurityBot