Skip to content

TOR-016 — oonionoo – Potential denial of service on onionoo.torproject.org via search parameter

The oonionoo.torproject.org website suffers from a potential denial of service vulnerability through the StringBuilder.append method.

  • Vulnerability ID: TOR-016
  • Vulnerability type: CWE-789: Memory Allocation with Excessive Size Value
  • Threat level: Low

Technical description:

The onionoo API allows filtering data based on a search parameter. If a double quote occurs in the search string, the variable doubleQuotedSearchTerm is instantiated with an object from the StringBuilder class. The class is vulnerable to a denial of service attack because when the append method is called, the capacity of the string buffer is doubled if the actual buffer is too small. This can quickly cause the JVM to consume all available heap memory space, though this is difficult to achieve through GET requests (see impact below).

In tpo/network-health/metrics/onionoo/src/main/java/org/torproject/metrics/onionoo/server/ResourceServlet.java:

protected static String[] parseSearchParameters(String parameter) {
  String[] spaceSeparatedParts = parameter.split(" ");
  List<String> searchParameters = new ArrayList<>();
  StringBuilder doubleQuotedSearchTerm = null;
  for (String spaceSeparatedPart : spaceSeparatedParts) {
    if ((StringUtils.countMatches(spaceSeparatedPart, '"')
      - StringUtils.countMatches(spaceSeparatedPart, "\\\"")) % 2 == 0) {
    if (null == doubleQuotedSearchTerm) {
      searchParameters.add(spaceSeparatedPart);
    } else {
      doubleQuotedSearchTerm.append(' ').append(spaceSeparatedPart);
    }
    } else {
      if (null == doubleQuotedSearchTerm) {
        doubleQuotedSearchTerm = new StringBuilder(spaceSeparatedPart);
      } else {
        doubleQuotedSearchTerm.append(' ').append(spaceSeparatedPart);
        searchParameters.add(doubleQuotedSearchTerm.toString());
        doubleQuotedSearchTerm = null;
      }
    }
  } 
....
}

Proof of Concept

Payload:
a:"X AAAA BBBBBBBBB "

Flow:
1. doubleQuotedSearchTerm = new StringBuilder('a:"X');
2. append on doubleQuotedSearchTerm with whitespace and AAAA
3. append on doubleQuotedSearchTerm with whitespace and BBBBBBBBB
4. close doubleQuotedSearchTerm and store in list (spaceSeparatedParts)

Impact:

Because of the limited GET request URI length, not enough characters can be transferred to consume the available heap memory. Therefore, this vulnerability is rated Low. However, it might be possible to exploit the vulnerability in the future, e.g., if the function is used for a POST request or the standard GET request URI length is increased by a configuration.

Recommendation: Catch the OutOfMemoryError exception thrown by the JVM and then abort the whole parsing process.