TDS dissector inf loop leads to excessive memory and CPU consumption - denial of service
Summary
It is possible to reach an infinite loop in the TDS dissector by generating a specifically crafted TDS5_QUERY_PKT
packet such that will create unlimited number of zero-length tokenized vars by manipulating the reading pointer offset
to the same place each time. The packet will consume an excessive amount of memory and 100% core cpu, which eventually lead to a denial of service via packet injection or crafted capture file.
Technical details
Tabular Data Stream (TDS) is an application layer protocol used to transfer data between a database server and a client. It runs over TCP port 1433.
The bug resides in TDS command 15 (TDS5_QUERY_PKT
) which transfers a tokenized query. This message type is parsed in dissect_tds5_tokenized_request_packet
. There, a while loop is trying to extract fixed/dynamic size tokens using:
tds_get_fixed_token_size_sybase
OR tds_get_variable_token_size_sybase
respectively. The while loop reads from the packet using offset
/pos
which gets advanced by the size of the variable as reported by these two function (pos += token_sz;
). However, these function may return a zero-length variable (0), which will could result with offset
/pos
staying at the same place causing the loop to read the "same" variable over and over again forerver.
This will result with an infinite loop and denial of service.
Steps to reproduce
Open the provided pcaps with Wireshark poc_tds_var_token_size_zero_sysbase_dos.pcap
What is the current bug behavior?
Wireshark will get stuck when trying to dissect a single maliciously crafted packet
What is the expected correct behavior?
Wireshark should ignore the malicious packet
Sample capture file
Open the provided pcaps with Wireshark poc_tds_var_token_size_zero_sysbase_dos.pcap
Relevant logs and/or screenshots
[Protocols in frame: eth:ethertype:ip:tcp:tds]
...
...
Tabular Data Stream
Type: TDS5 query (15)
Status: 0x33, End of message, Ignore this event, Reset connection keeping transaction state
.... ...1 = End of message: True
.... ..1. = Ignore this event: True
.... .0.. = Event notification: False
.... 0... = Reset connection: False
...1 .... = Reset connection keeping transaction state: True
Length: 202
Channel: 50501
Packet Number: 11
Window: 0
TDS5 Query Packet
Token 0x00 Unknown Token Type
Token 0x00 Unknown Token Type
Token 0x00 Unknown Token Type
Token 0x00 Unknown Token Type
Token 0x00 Unknown Token Type
Token 0xe6 DBRPC
Token Length - DBRPC: 91
DBRPC - RPC Name Length: 34
DBRPC - RPC Name: \357\274\235\357\277\277\357\277\277\357\277\277
DBRPC - Options: 0xffff, Recompile, Has parameters
.... .... .... ...1 = Recompile: True
.... .... .... ..1. = Has parameters: True
Token 0xff Done In Proc
Token 0x00 Unknown Token Type
Token 0x04 Unknown Token Type
Token 0x00 Unknown Token Type
Token 0x00 Unknown Token Type
Token 0x00 Unknown Token Type
Token 0x00 Unknown Token Type
Token 0x22 TDS5 OrderBy2
Token 0x22 TDS5 OrderBy2
Token 0x22 TDS5 OrderBy2
Token 0x22 TDS5 OrderBy2
Token 0x22 TDS5 OrderBy2
Token 0x22 TDS5 OrderBy2
...
...
...
Token 0x22 TDS5 OrderBy2
Token 0x22 TDS5 OrderBy2
Build information
TShark (Wireshark) 3.7.0 (v3.7.0rc0-844-g14a1dfbe1083)