Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
2.7.3
-
None
-
None
-
Linux or Mac, Karaf 2.3.1 container, CXF 2.7.3
-
Unknown
Description
Let's say I protect my JAX-RS service using SamlHeaderInHandler. The service expects me to include a valid deflate encoded (compressed) then base 64 encoded token in the Authorization of my RESTful call like this:
SAML <TOKEN GOES HERE>
However if instead of inserting a token, I insert the following string "invalid_grant" in the Authrorization header like so:
SAML invalid_grant
The following will happen:
1. SamlHeaderInHandler splits the header into it's two parts and sends what it thinks is the assertion (the "invalid_grant" string) AbstractSamlBase64InHandler.handleToken
2. AbstractSamlBase64InHandler.handleToken first base 64 decodes the string. This completes with no error.
3. AbstractSamlBase64InHandler.handleToken then tries to inflate the assertion.
It is during this last step that CXF goes into an infinite loop. Here is the code involved:
while (!inflater.finished()) {
inputLen = inflater.inflate(input);
if (!inflater.finished())
}
When the input is the following byte array:
[94, -27, -122, 110, 16, 59, 41, 43, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
(which is the result from base 64 decoding the string "invalid_grant")
The loop never breaks because the test inflater.finished() is never true even if inputLen is 0. Thus the service hangs indefinitely.
I am classifying this as Critical because, essentially, by crafting a certain type of request, I can execute a denial of service attack against the service.