| タイトル | warmcat libwebsockets 4.5.99-v4.5.0-382-g4a63b9333 Uncontrolled Memory Allocation |
|---|
| 説明 | Missing upper-bound check on msg_len in lws_ssh_parse_plaintext() causes pre-auth OOM server kill via unbounded allocation
plugins/protocol_lws_ssh_base/sshd.c:576 constructs pss->msg_len from 4
attacker-controlled bytes without any upper-bound check. The only validation
(line 595) rejects msg_len < 6. When msg_id == SSH_MSG_KEXINIT (20), the
value is passed directly to sshd_zalloc() at line 652, allowing an
unauthenticated remote attacker to trigger a ~128 MB (or up to ~4 GB)
heap allocation per connection. Repeated connections exhaust system memory,
causing the server process (and potentially other processes) to be killed
by the OOM killer.
Version: 4.5.99-v4.5.0-382-g4a63b9333
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Score: 7.5
Scope is Changed because unbounded memory consumption by the SSH server
exhausts system-wide memory, causing the OOM killer to terminate other
resident processes. Confirmed by testing: without cgroup memory limits
the entire host became unstable and required a hard reset.
Root cause (plugins/protocol_lws_ssh_base/sshd.c):
/* line 575-578 — msg_len assembled from 4 attacker bytes, no upper bound */
case SSHS_MSG_LEN:
pss->msg_len = (pss->msg_len << 8) | *p++;
if (++pss->ctr != 4)
break;
/* line 595-598 — only lower-bound check */
if (pss->msg_len < 2 + 4) {
lwsl_notice("illegal msg size\n");
goto bail;
}
/* line 649-656 — msg_len used directly as allocation size */
case SSH_MSG_KEXINIT:
...
pss->kex->I_C_alloc_len = pss->msg_len;
pss->kex->I_C = sshd_zalloc(pss->kex->I_C_alloc_len);
if (!pss->kex->I_C) {
lwsl_notice("OOM 3\n");
goto bail;
}
/* sshd_zalloc (line 31-38) — malloc + memset, commits physical pages */
void *sshd_zalloc(size_t s)
{
void *p = malloc(s);
if (p)
memset(p, 0, s);
return p;
}
PoC: poc_sshd_unbounded_alloc.py (sends a minimal crafted binary packet available upon request)
The vulnerable code is in the SSH protocol plugin library.
libwebsockets-test-sshd was used as the harness that accepts SSH connections
via the lws-ssh-base plugin. Any application using this plugin is equally vulnerable.
Run:
# Terminal 1:
./build/bin/libwebsockets-test-sshd -d 7
# Terminal 2: run PoC
python3 poc_sshd_unbounded_alloc.py 127.0.0.1 2200
OOM kill evidence (systemd journal):
run-p4239-i4240.scope: A process of this unit has been killed by the OOM killer.
run-p4239-i4240.scope: Failed with result 'oom-kill'.
run-p4239-i4240.scope: Consumed 303ms CPU time, xxx memory peak.
Impact:
- Denial of Service — a single unauthenticated attacker can kill the SSH
server by sending 20-byte crafted packets across a few TCP connections
- System-wide impact — without cgroup memory limits, the unbounded
allocation exhausts host memory, causing the OOM killer to terminate
other processes and potentially destabilizing the entire system
- Pre-authentication — the entire attack occurs during the SSH banner
exchange and KEX_INIT phase, before any key exchange or authentication
- Zero complexity and deterministic
- Affects any application using the lws-ssh-base protocol plugin
reference: https://github.com/warmcat/libwebsockets/commit/7223d9e5f5c2481dea0f8f63e390cf6ceb9308fe |
|---|
| ソース | ⚠️ https://github.com/biniamf/pocs/tree/main/libwebsockets_sshd-parse-ic-unbounded-alloc |
|---|
| ユーザー | biniam (UID 94731) |
|---|
| 送信 | 2026年05月14日 23:54 (21 日 ago) |
|---|
| モデレーション | 2026年06月02日 17:19 (19 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 367955 [warmcat libwebsockets 迄 4.5.8 SSH Protocol sshd.c lws_ssh_parse_plaintext msg_len サービス拒否] |
|---|
| ポイント | 20 |
|---|