Denial of service due large limit on message and frame size

Title: CWE-770 (Allocation of Resources Without Limits or Throttling)

Library: Qt WebSockets (C++)

Vulnerability Type: Denial of Service (DoS)

Component: WebSocket Frame Handling

Affected Versions: Qt versions <=5.14.1

Fixed in: Qt version 5.14.2

CVE-ID: CVE-2018-21035

Common Weakness Enumeration: CWE-770 (Allocation of Resources Without Limits or Throttling)

Description

The Qt WebSockets module accepts WebSocket frames and messages of up to 2GB in size. This large limit makes it possible for an attacker to cause a Denial of Service (DoS) by exhausting the memory of the server or client. An attacker can create numerous WebSocket connections and send partial messages with frames of maximum size until the memory is exhausted, resulting in a crash.

Attack Scenario

An attacker can exploit this vulnerability by establishing multiple WebSocket connections to the target server and sending very large frames or messages. By doing so, the attacker can deplete the available memory of the server, leading to a crash and a denial of service.

Example Payload

A payload that sends a large frame of nearly 2GB in size can be used to exploit this vulnerability. The payload can be repeated multiple times to consume all available memory.

Vulnerable Code Example

Here is a simplified example demonstrating the vulnerability in Qt WebSockets:

#include <QtCore/QCoreApplication>
#include <QtWebSockets/QWebSocket>
#include <QtWebSockets/QWebSocketServer>

const quint64 MAX_FRAME_SIZE_IN_BYTES = INT_MAX - 1;
const quint64 MAX_MESSAGE_SIZE_IN_BYTES = INT_MAX - 1;

class EchoServer : public QObject
{
    Q_OBJECT

public:
    EchoServer(quint16 port, QObject *parent = nullptr)
        : QObject(parent),
          m_pWebSocketServer(new QWebSocketServer(QStringLiteral("Echo Server"),
                                                  QWebSocketServer::NonSecureMode, this))
    {
        if (m_pWebSocketServer->listen(QHostAddress::Any, port)) {
            connect(m_pWebSocketServer, &QWebSocketServer::newConnection,
                    this, &EchoServer::onNewConnection);
        }
    }

private Q_SLOTS:
    void onNewConnection() {
        QWebSocket *pSocket = m_pWebSocketServer->nextPendingConnection();
        connect(pSocket, &QWebSocket::textMessageReceived, this, &EchoServer::processTextMessage);
        connect(pSocket, &QWebSocket::disconnected, pSocket, &QWebSocket::deleteLater);
    }

    void processTextMessage(const QString &message) {
        // Echo the received message
        QWebSocket *pClient = qobject_cast<QWebSocket *>(sender());
        if (pClient) {
            pClient->sendTextMessage(message);
        }
    }

private:
    QWebSocketServer *m_pWebSocketServer;
};

int main(int argc, char *argv[])
{
    QCoreApplication a(argc, argv);
    EchoServer server(1234);
    return a.exec();
}

In the above code, there is no limit on the size of WebSocket frames or messages, making it vulnerable to the described attack.

Mitigation

To mitigate this issue, Qt 5.14.2 introduced configuration options to limit the maximum size of WebSocket frames and messages. Here is an example of how to set these limits:

#include <QtCore/QCoreApplication>
#include <QtWebSockets/QWebSocket>
#include <QtWebSockets/QWebSocketServer>

class EchoServer : public QObject
{
    Q_OBJECT

public:
    EchoServer(quint16 port, QObject *parent = nullptr)
        : QObject(parent),
          m_pWebSocketServer(new QWebSocketServer(QStringLiteral("Echo Server"),
                                                  QWebSocketServer::NonSecureMode, this))
    {
        if (m_pWebSocketServer->listen(QHostAddress::Any, port)) {
            connect(m_pWebSocketServer, &QWebSocketServer::newConnection,
                    this, &EchoServer::onNewConnection);
        }
    }

private Q_SLOTS:
    void onNewConnection() {
        QWebSocket *pSocket = m_pWebSocketServer->nextPendingConnection();
        pSocket->setMaxMessageSize(1024 * 1024); // 1 MB max message size
        pSocket->setMaxFrameSize(1024 * 1024);   // 1 MB max frame size
        connect(pSocket, &QWebSocket::textMessageReceived, this, &EchoServer::processTextMessage);
        connect(pSocket, &QWebSocket::disconnected, pSocket, &QWebSocket::deleteLater);
    }

    void processTextMessage(const QString &message) {
        // Echo the received message
        QWebSocket *pClient = qobject_cast<QWebSocket *>(sender());
        if (pClient) {
            pClient->sendTextMessage(message);
        }
    }

private:
    QWebSocketServer *m_pWebSocketServer;
};

int main(int argc, char *argv[])
{
    QCoreApplication a(argc, argv);
    EchoServer server(1234);
    return a.exec();
}

In this updated code, the maximum message and frame sizes are set to 1MB, which mitigates the risk of memory exhaustion attacks.

Conclusion

To protect against Denial of Service attacks via memory exhaustion in Qt WebSockets, ensure that you upgrade to Qt version 5.14.2 or later and configure the maximum sizes for WebSocket frames and messages. This configuration helps prevent the server from being overwhelmed by large, maliciously crafted payloads.