Skip to content
This repository has been archived by the owner on Dec 28, 2023. It is now read-only.

Denial of Service When loading xray using super-xray.exe itself

Moderate
4ra1n published GHSA-vgxx-2crp-32vv Jan 16, 2023

Package

super-xray (super-xray)

Affected versions

<1.2

Patched versions

1.3

Description

Severity

CVSS分数:5.5

  • 安全级别:缓和的
  • 攻击向量:本地
  • 攻击复杂度:低
  • 需要权限:低
  • 用户交互:需要
  • 范围:无更改
  • 机密性影响:低
  • 完整性影响:低
  • 可用性影响:高

Vendor

super-xray

Versions Affected

1.2版本及以下

Description

当加载xray时选择super-xray-version.exe时,会无限加载自身无法关闭,直到耗尽系统资源。不仅仅是super-xray本身无法使用,更会导致操作系统的资源耗尽,是一个比较严重的安全问题。

注意:仅影响windows系统且需要使用exe版的super-xray

使用exe版本加载super-xray自身将会无限启动,导致耗尽操作系统CPU和内存。无限启动原因是启动时需要执行之前保存的xray路径,如果选择了super-xray.exe自身保存后显然会导致死循环。由于用户输入的可执行文件是什么应该由用户负责,一般情况下不应该是安全漏洞,但是用户输入super-xray自身导致的问题应该被处理。二进制可执行文件无法判断具体是什么,所以只能限制文件名结合文件大小二者来防止加载自身,但是用户加载其他可执行文件导致的安全问题与本项目无关。

解决代码如下:

    public static boolean checkValid(String absPath) {
        Path path = Paths.get(absPath);
        String filename = path.getFileName().toString().toLowerCase();
        // super-xray Super Xray
        boolean superCondition = filename.contains("super");
        boolean xrayCondition = filename.contains("xray");
        if (superCondition && xrayCondition) {
            return false;
        }
        if (!Files.exists(path)) {
            return false;
        }
        try {
            long size = Files.size(path);
            int mb = (int) (size / 1024 / 1024);
            return mb > 10;
        } catch (IOException e) {
            return false;
        }
    }

解决方案:

  • 用户恶意的输入导致的安全问题应该由用户负责
  • 如果用户输入super-xray自身,应该对文件名做过滤(大部分情况不会改名)
  • 最终限制文件大小,真正的xray大小不会小于10M

Mitigation

用户应该升级supe-xray1.3版本

Credit

感谢Github用户在issue列表中发现该问题

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVE ID

No known CVE

Weaknesses

No CWEs