26 comments

[ 4.3 ms ] story [ 58.9 ms ] thread
Is this just a 21st century zipbomb?

0: https://en.m.wikipedia.org/wiki/Zip_bomb

The linked Wikipedia entry specifically references zip bombs as "a similar attack utilizing zip archives"
(comment deleted)
Pretty sure this existed in the 20th century too.
(comment deleted)
This is why I switched from yaml to scl. (Rust)

https://github.com/Keats/scl

EDIT: In spite of those who are downvoting my comment without even replying, I'm leaving it anyway; cause sharing good software outweighs whatever loss they intend to inflict.

Is Rust the Arch of programming languages?

"Btw I use Rust".

> the Arch of programming languages

I don't get your analogy.

I think they were getting at this:

How do you know someone uses "X"? Don't worry, they'll tell you.

How do you know if an individual is a vegan, does CrossFit, etc? Don't worry they'll tell you.
An elderly lady comes into the police station crying hysterically. "I've just been mugged!" she cries.

The desk sergeant asks, "Can you describe the mugger?"

"Not really, he grabbed me from behind. I know he's a man, bigger than me, and he's vegan."

"How on earth do you know he's vegan?"

"He bloody told me!"

I think that Rust has captured many developers that previously used Javascript, so it's their first introduction to things like static typing. As a result they are amazed that a compiler can show them errors in their code before it's run.
Interestingly, many browsers are still susceptible to this attack, for example when used in SVG files (WARNING: might crash your browser and/or operating system): https://jsfiddle.net/e3guLn08/
Browsers are susceptible to a server that generates an infinite HTML page (e.g. CGI shell script calling "yes <arg>"), and also to thing called JavaScript that can eat all your memory programmatically (and does exactly so on a regular basis).
This was been around for well over a decade. Interestingly though, denial of service is the less interesting issue that external entity parsing comes with. It can lead all the way to data exfiltration and remote code execution.
This is loads of fun against batteries included web frameworks like rail, grails, play framework and so on. Not sure about now, but a few years ago basically all of them were susceptible to this and XXE and it was extremely difficult to disable in the XML parsers.
Time to switch to JSON
Yep, there you can have direct code execution with some parses also... fun times. Creating objects out of untrusted data can be difficult.
> A "Billion laughs" attack should exist for any file format that can contain references, for example this YAML bomb:

C preprocessor?

  $ gcc -E - | wc
  #define EXP(X) X X X X X X X X X X X X X X X X
  #define LOL1 EXP(LOL)
  #define LOL2 EXP(LOL1)
  #define LOL3 EXP(LOL2)
  #define LOL4 EXP(LOL3)
  #define LOL5 EXP(LOL4)
  LOL5
  [Ctrl-D][Enter]
  11 1048588 4194376
Not normally considered a "file format", though. People don't open a C preprocessor attachment in their e-mail only to have some application grind their PC and crash. Or use this for RPC calls and whatnot.