Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-5390

AbstractSamlBase64InHandler goes into infinite loop when processing bad header value.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 2.7.3
    • 3.0.0-milestone1, 2.7.8, 2.6.11
    • None
    • None
    • Linux or Mac, Karaf 2.3.1 container, CXF 2.7.3

    • Unknown

    Description

      Let's say I protect my JAX-RS service using SamlHeaderInHandler. The service expects me to include a valid deflate encoded (compressed) then base 64 encoded token in the Authorization of my RESTful call like this:

      SAML <TOKEN GOES HERE>

      However if instead of inserting a token, I insert the following string "invalid_grant" in the Authrorization header like so:

      SAML invalid_grant

      The following will happen:
      1. SamlHeaderInHandler splits the header into it's two parts and sends what it thinks is the assertion (the "invalid_grant" string) AbstractSamlBase64InHandler.handleToken
      2. AbstractSamlBase64InHandler.handleToken first base 64 decodes the string. This completes with no error.
      3. AbstractSamlBase64InHandler.handleToken then tries to inflate the assertion.

      It is during this last step that CXF goes into an infinite loop. Here is the code involved:

      while (!inflater.finished()) {
      inputLen = inflater.inflate(input);
      if (!inflater.finished())

      { inflatedToken = new byte[input.length + inflatedLen]; System.arraycopy(input, 0, inflatedToken, inflatedLen, inputLen); inflatedLen += inputLen; }

      }

      When the input is the following byte array:

      [94, -27, -122, 110, 16, 59, 41, 43, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]

      (which is the result from base 64 decoding the string "invalid_grant")

      The loop never breaks because the test inflater.finished() is never true even if inputLen is 0. Thus the service hangs indefinitely.

      I am classifying this as Critical because, essentially, by crafting a certain type of request, I can execute a denial of service attack against the service.

      Attachments

        Activity

          People

            sergey_beryozkin Sergey Beryozkin
            geecxf Dario Amiri
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: