Objective: To achieve Remote Code Execution (RCE) or Denial of Service (DoS) on an application using zstd, by exploiting vulnerabilities or weaknesses in the zstd library or its implementation.
Compromise Application using zstd [CN]
|
-------------------------------------------------------------------------
| |
1. Remote Code Execution (RCE) [CN] 2. Denial of Service (DoS)
| |
----|----------------------------------- ----|-----------------------------------
| | |
1.2 1.1 2.2
Exploit Buffer Overflow Resource Exhaustion via
Dictionary in zstd [CN] Decompression Bomb/Ratio [HR]
Vulnerabilities |
| ----|----
----|---- | |
| | 2.2.1 2.2.2
1.2.1 1.2.2 High Repeated
Abuse Abuse Compression Decompression
zstd zstd Ratio Input Requests [HR]
Dict Dict
Builder Loading
[HR] [HR]
Attack Tree Path: 1. Remote Code Execution (RCE) [CN]
-
1.1 Buffer Overflow in zstd [CN]
- Description: A buffer overflow vulnerability within the zstd library itself. This is a critical vulnerability, though less likely due to zstd's maturity.
- Attack: An attacker crafts malicious compressed input that, when decompressed, overwrites memory beyond the allocated buffer, leading to arbitrary code execution.
- Likelihood: Very Low
- Impact: Very High
- Effort: High to Very High
- Skill Level: Expert
- Detection Difficulty: Medium to Hard
-
1.2 Exploit Dictionary Vulnerabilities
-
1.2.1 Abuse zstd Dict Builder [HR]
- Description: If the application builds dictionaries from user-supplied data, an attacker might craft input to cause a buffer overflow or other memory corruption within the dictionary builder.
- Attack: The attacker provides malicious input to the dictionary building process, triggering a vulnerability and gaining code execution.
- Likelihood: Low to Medium
- Impact: Very High
- Effort: Medium to High
- Skill Level: Advanced
- Detection Difficulty: Medium
-
1.2.2 Abuse zstd Dict Loading [HR]
- Description: If the application loads dictionaries from external sources, an attacker might provide a malicious dictionary file to trigger a vulnerability.
- Attack: The attacker provides a crafted dictionary file that, when loaded, exploits a vulnerability in the loading or usage process, leading to RCE.
- Likelihood: Low to Medium
- Impact: Very High
- Effort: Medium to High
- Skill Level: Advanced
- Detection Difficulty: Medium to Hard
-
Attack Tree Path: 2. Denial of Service (DoS)
-
2.2 Resource Exhaustion via Decompression Bomb/Ratio [HR]
-
Description: Exploiting the compression algorithm to cause excessive CPU or RAM usage, leading to denial of service.
-
Attack: The attacker provides input designed to consume excessive resources during decompression.
-
2.2.1 High Compression Ratio Input
- Description: An attacker crafts input that achieves a very high compression ratio, requiring significant resources to decompress.
- Attack: The attacker sends input that expands to a very large size upon decompression, exhausting memory or CPU.
- Likelihood: Medium
- Impact: Medium to High
- Effort: Medium
- Skill Level: Intermediate
- Detection Difficulty: Medium
-
2.2.2 Repeated Decompression Requests [HR]
- Description: An attacker repeatedly sends decompression requests, overwhelming the server.
- Attack: The attacker floods the server with decompression requests, consuming resources and preventing legitimate users from accessing the service.
- Likelihood: High
- Impact: Medium to High
- Effort: Very Low
- Skill Level: Beginner
- Detection Difficulty: Easy
-