In this post, we will dive deep into a critical vulnerability (CVE-2024-7254) that affects any project that parses untrusted Protocol Buffers (Protobuf) data containing an arbitrary number of nested groups or series of SGROUP tags. This vulnerability can lead to corruption by exceeding the stack limit, commonly known as StackOverflow. If exploited, parsing nested groups with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, can result in unbounded recursions that an attacker can take advantage of.

Background

Protocol Buffers, or Protobuf for short, is a popular data interchange format developed by Google. It provides a language-agnostic way to describe data structures and has been used in numerous applications and domains, from network protocol design to big data serialization.

Sometime around June 2023, a developer discovered that certain Protobuf data structures could be attacked by maliciously crafted data. The affected projects parsed untrusted data containing an arbitrary number of nested groups / series of SGROUP tags, causing a StackOverflow vulnerability in the parser's implementation.

The vulnerability was assigned CVE-2024-7254 for tracking purposes.

Exploit Details

The essence of this vulnerability lies in the fact that the affected Protobuf parsers don't have a built-in limit for recursion depth during the parsing process. When parsing nested groups or SGROUP tags as unknown fields, using parsers like DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, attackers can create extremely deep nested structures that lead to unbounded recursions.

These unbounded recursions result in exceeding the application's stack limit, causing a StackOverflow error. Once triggered, this can lead to various attack outcomes like denial-of-service (DoS) attacks or even remote code execution in certain cases.

Code Snippet Example

Below is a simple example snippet of a Protobuf message with nested groups that can be abused to exploit this vulnerability:

message NestedGroups {
  optional group Group1 {
    optional group Group2 {
      optional group Group3 {
        optional group Group4 {
          optional int32 value = 1;
        }
      }
    }
  }
}

In this example, the message NestedGroups contains four nested groups, representing a benign structure. However, an attacker can create a much deeper nesting to exploit the vulnerability.

Original References & Mitigations

Upon discovering this vulnerability, the developer reported it to the Google Security Team. They acknowledged the issue and proposed appropriate fixes for the affected parsers.

The official Google Security blog post on the issue can be found here.

Google released a patch for the Protobuf parser implementations in various languages, fixing the issue by enforcing a maximum recursion depth while parsing nested groups and map fields. This patch can be downloaded and installed from the official Protobuf GitHub repository here.

Developers and maintainers of affected projects should ensure that their Protobuf parser version is updated to the patched release to prevent this vulnerability from being exploited.

Conclusion

CVE-2024-7254 is a severe vulnerability that can lead to StackOverflow errors in projects that parse untrusted Protocol Buffers data containing an arbitrary number of nested groups or series of SGROUP tags. To protect your project, it is essential to update your Protobuf parser implementation to the latest, patched release. By doing so, you will be ensuring the integrity and safety of your system, and protecting your users from potential attacks.

Timeline

Published on: 09/19/2024 01:15:10 UTC
Last modified on: 12/13/2024 14:15:22 UTC