'conduit-hyper', a package that integrates conduit applications with the hyper server, had a vulnerability prior to version .4.2 that did not impose any limit on the request length. The crate had the potential to encounter a panic if an attacker sent a malicious request with an abnormally large 'Content-Length'. This post aims to discuss the exploit details, provide code snippets pertaining to the vulnerability, and offer resources on how to mitigate this issue.

Original References

1. hyper::body::to_bytes
2. conduit-hyper on crates.io

Exploit Details

Before version .4.2, the conduit-hyper package did not perform any checks related to the length of a request when invoking the hyper::body::to_bytes function. As a result, an attacker could send a request with an unusually large Content-Length, which could cause a panic if there wasn't enough memory available to process the request.

Code Snippet (Vulnerable Version)

/// conduit-hyper (before v.4.2)

fn handle_request(connection: Http<Request<Body>>, req: Request<Body>) {
    ...
    // No check for the request length is performed here.
    let req_body = hyper::body::to_bytes(req.into_body());
    ...
}

In version .4.2, the developers have set an internal limit of 128 MiB per request, which prevents oversized requests from causing memory allocation problems. If the request size exceeds this limit, the package will return a 400 "Bad Request" status.

Code Snippet (Fixed Version)

/// conduit-hyper (v.4.2 onwards)

// Example constant value for max_request_length
const MAX_REQUEST_LENGTH: u64 = 128 * 1024 * 1024; // 128 MiB

fn handle_request(connection: Http<Request<Body>>, req: Request<Body>) {
    ...
    // Check for the request length is now performed.
    if let Some(content_length) = req.headers().get(CONTENT_LENGTH) {
        let length = content_length.to_str().parse::<u64>().unwrap();
        if length > MAX_REQUEST_LENGTH {
            return Err(Status::BadRequest);
        }
    }

    let req_body = hyper::body::to_bytes(req.into_body());
    ...
}

It should be noted that while this crate is part of the implementation of Rust's crates.io, the service itself is not affected by this vulnerability because its existing cloud infrastructure already drops such malicious requests.

However, the conduit-hyper crate is still not recommended for production use and should not be used to directly serve the public Internet. Users are encouraged to upgrade to version .4.2 or later to mitigate the risk associated with this vulnerability.

In conclusion, the CVE-2022-39294 vulnerability highlights the importance of validating the input data and handling potential memory allocation issues in libraries/packages. Upgrading to the latest version of 'conduit-hyper' and following general security guidelines for handling user input can significantly reduce the risk of exploitation.

Timeline

Published on: 10/31/2022 19:15:00 UTC
Last modified on: 07/11/2023 20:51:00 UTC