Amazon AWS Java SDK vulnerability Disclosure

Amazon AWS Java SDK vulnerability Disclosure

Today, we will discuss a denial of service vulnerability in Amazon AWS java SDK. This official aws sdk is often used by Java developers to integrate a series of AWS services, including integrating Amazon APIs in Amazon S3 for storage and indexing files. The official AWS Java SDK for version 1.8.0-1.10.34 has been confirmed to be affected, and the latest version 1.10.36 SDK has fixed this vulnerability.

This vulnerability can be exploited by the AWS Java SDK to manipulate files stored on Amazon S3 to attack web Services. Attackers can upload files to S3 storage for web Services to run using sdks. an endless loop may occur during execution, resulting in DOS.

Given that AWS Java SDK is provided by Amazon to Java developers by default, this vulnerability has a wide impact. For example, Nuxeo, a popular open-source framework, uses the AWS S3 SDK to store file content management systems. A large number of commercial applications using the Nuxeo framework will be affected by this vulnerability.

We have submitted this vulnerability to the Amazon AWS security team privately. Amazon quickly fixed this vulnerability and released a new version of the SDK in Maven Central last week. You can view the modified code here.

Overview

This problem exists in the skip method of the SdkDigestInputStream class in the SDK. The Standard specifies that it should return the number of bytes that have been skipped, but in some special cases it will return-1. The skip method was added to the class as a solution to another problem in June 21, 2014. Before that, SdkDigestInputStream did not overload the skip method.

Analysis

If you refer to the official Java documentation about the description of the skip method in the InputStream class, the document says that the skip method should return the actually skipped bytes. If it is not skipped or the input is negative, the skip method returns 0. The skip method should not return a negative number in any case.

Check row 75th of SdkDigestInputStream. java. The skip method may return-1:


The negative value returned may cause errors in other methods that receive the return value of the skip method, because these methods have never considered receiving a negative value. For example, check the IOUtils class in the popular Apache Commons Compress library. It calls the skip method to process the underlying InputStream to implement its own skip method.

This method uses the while loop, and the return value of the skip method is used to end the loop.

while (numToSkip > 0) {    long skipped = input.skip(numToSkip);        if (skipped == 0) {            break;    }    numToSkip -= skipped;}

When Amazon S3 uses the SDk to read the underlying input data stream, the skip method may return-1. The returned value is stored in the skipped variable. Therefore, numToSkip-= skipped at the end of the loop becomes numToSkip-=-1. In this way, the variable numToSkip will continuously grow and eventually become an endless loop.

Instance

The attack scenario occurs when Amazon S3 stores files and processes them using the aws sdk. Apache Commons Compress library is a very common library for processing archives in Java.

For the Web service that uses Amazon s3, .tar is the most vulnerable to DoS attacks. Attackers only need to create an archive file with extra data (NULL bytes) and upload it to the website. Then, the AWS S3 SDK reads the file and passes inputStream to the TarArchiveInputStream class. To skip the extra filling data, the skipRecordPadding method is called:


This method calls the skip Method In line 3, and then the program enters an endless loop, resulting in DOS.

Repair

A new version of aws sdk has been released in Maven Central. We recommend that you upgrade it to this version immediately. If you cannot upgrade, you can perform the following repairs.

If you directly call the skip method, you can add a judgment to ensure that the return value is greater than or equal to 0. In addition, if needed, you can copy inputStream to a byte array, and then pass the array to the application to be called. For example, you can use the following code when using Apache Commons Compress libraryto process .tar:

// Assuming that input is the inputStream obtained from the AWS S3 SDKByteArrayOutputStream baos = new ByteArrayOutputStream();IOUtils.copy(input, baos);ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());TarArchiveInputStream tarStream = new TarArchiveInputStream(bais);