HackerOne: PNG compression DoS

2013-11-23T21:21:28
ID H1:454
Type hackerone
Reporter dutchgraa
Modified 2015-05-28T04:45:07

Description

PNG compression DoS

Because I did JPEG and GIF I just had to check out the PNG format.

Found

A PNG file is composed of multiple chunks. One of the optional ancillary chunks is called zTXT (ztxt). This chunk allows storage of compressed text data using the zlib library. From the zlib tech details: "The test case was a 50MB file filled with zeros; it compressed to roughly 49 KB" I used this to store a huge amount of data in a small PNG (smaller than 1 MB). When sent to HackerOne the service timed out. I think it's because Paperclip tried to identify and convert my image again.

As a attachment I sent the Python code I made to create the PNG, and the PNG itself. Usage: python createpng.py filename

Fixes

For an easy fix every PNG file with the string "zTXt" in it should be rejected. Other data chunks may be exploitable, but I haven't looked into them yet. When this bug is fixed I will continue my research.

Theory

Make sure your zlib library is updated . Because of old exploits in zlib's inflate() (zlibvuln1, zlibvuln2), attackers might make a PNG that can exploit old machines.