Pixel flood attack

From Hackipedia
Jump to: navigation, search
Hackerone #390
Target: Hackerone
Target Module: Paperclip
Type: DoS
Payload: Download
Original: Link
CVE:
Archive Screenshot

An image with the dimensions of 0xfafa x 0xfafa (64250x64250) is uploaded and crashes the service.

How To Perform

  1. Download the Payload
  2. Upload to target service
  3. Observe for performance degradation

Technical

Hackerone founder, michiel, provided some technical incite to this issue:

We identified two problems:
1) Paperclip seems to always run the identify command with the exif:orientation option enabled, while only one Paperclip feature (auto orient) needs this option. This option caused the DoS at our side. We fixed this by monkey 
patching the way Paperclip builds a geometry string. This is probably something that should get fixed in Paperclip too.
2) Paperclip started resizing the uploaded image even before it validated whether the image's dimensions were too large. We fixed this by instructing Paperclip to run validations before starting the resizing process.


Add your comment
Hackipedia welcomes all comments. If you do not want to be anonymous, register or log in. It is free.