ESCALATED: Decompression Bomb
HackerOne report #687730 by u3mur4
on 2019-09-04, assigned to jmatos_bgtvf
:
Summary
A decompression bomb is a file designed to crash or render useless the program or system reading it, i.e. a denial of service.
An attacker can create a carefully crafted tar.gz file and upload it using the Import an exported GitLab project functionality. When the file is unpacked its contents are exploded and it fills the drive.
Steps to reproduce
- Download the file (100MB)
- Sign in to a GitLab instance
- Create (Import) a New Project using the Import an exported GitLab project
- Set the GitLab project export file form field to the previously download file
- Click to Import Project and wait until it's finished
- Repeat this process until the disk is full
- When the disk is full multiple functionality becomes unavailable (See Video and Impact)
Video version:
bomb.mp4
How to create the decompression bomb file
You can create the compressed file yourself using couples of bash commands
fallocate -l 100G 100gb.zeros
tar cvf - 100gb.zeros | gzip -9 - > 100gb.tar.gz
I created a short go program to create the compressed file without any intermediate file. The program also sets the modification time inside the tar file to a future date because of the following bug/behavior:
The ImportExportProjectCleanupWorker
runs every hour and deletes the uncompressed files where the modification time is older than 1 day. Because we set the modification time to a future date inside the tar archive the uncompressed data will be never deleted.
stat -c '%y' big_file
2020-09-03 21:44:51.000000000 +0200
Impact
- Random 500 errors
- Unable to create/import new projects
- Unable to create issues
- Unable to push git changes
- Unable to upload any file: file avatar, project avatar
- Unable to access the whole site
- etc...
What is the current bug behavior?
- no size check before decompression
- tar sets the modification time of the file
What is the expected correct behavior?
- Limit the maximum file size (
gzip -l 100gb.tar.gz
to get the uncompressed size) - Use the -m, --touch flag to don't extract file modified time
GitLab version info
omnibus-gitlab package: GitLab Community Edition 12.2.4
gitlab-development-kit: GitLab Community Edition 12.3.0-pre gitlab-ce@f4e40c532b5582f47a0dd9bf7054112fc9ec6085
gitlab.com: not tested because of dos
Impact
- Random 500 errors
- Unable to create/import new projects
- Unable to create issues
- Unable to push git changes
- Unable to upload any file: file avatar, project avatar
- Unable to access the whole site
- etc...
Attachments
Warning: Attachments received through HackerOne, please exercise caution!