13 Фев, 2023

Uncontrolled Resource Consumption

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Uncontrolled resource consumption refers to a software vulnerability where a program or system uses excessive resources, such as CPU, memory, or network bandwidth, without proper limitations or controls. This can cause a denial-of-service (DoS) attack or degrade the performance of the affected system. Attackers can exploit this vulnerability to exhaust the resources of a targeted system, making it unavailable for legitimate users. Uncontrolled resource consumption can be mitigated by implementing proper resource usage limits, monitoring, and throttling mechanisms in the software or system.

Пример уязвимого кода на разных языках программирования:

в Java:

				
					while (true) {
    Object obj = new Object();
}
				
			


A loop that continuously allocates memory without any condition to exit could cause excessive memory consumption

In Python:

				
					def fibonacci(n):
    if n < 2:
        return n
    else:
        return fibonacci(n - 1) + fibonacci(n - 2)
				
			


A recursive function that does not have a base case or has an incorrect termination condition could cause infinite recursion, leading to excessive CPU and memory consumption

C:

				
					while (1) {
    send(sock, buffer, sizeof(buffer), 0);
}
				
			


A loop that continuously sends data over the network without any delay could cause excessive network bandwidth consumption

В PHP:

				
					while (true) {
    $result = mysqli_query($con, "SELECT * FROM large_table");
    // process the result
}
				
			


A script that performs an expensive database query repeatedly could cause excessive CPU and memory consumption

Examples of exploitation Uncontrolled Resource Consumption

Here are a few examples of how uncontrolled resource consumption can be exploited by attackers:

Denial-of-Service (DoS) attacks: An attacker can exploit uncontrolled resource consumption to launch a DoS attack by sending a high volume of requests that consume excessive resources, making the system unavailable for legitimate users.

Slowloris attack: A type of DoS attack that exploits uncontrolled resource consumption by sending partial HTTP requests and keeping the connection open for as long as possible, thereby exhausting the server’s resources.

Memory exhaustion attack: An attacker can exploit uncontrolled memory consumption to cause the system to crash or become unresponsive by repeatedly allocating memory without freeing it, or by allocating large amounts of memory.

CPU exhaustion attack: An attacker can exploit uncontrolled CPU consumption to cause the system to slow down or become unresponsive by continuously running CPU-intensive tasks, such as cryptographic operations or large calculations.

Bandwidth exhaustion attack: An attacker can exploit uncontrolled network bandwidth consumption to cause the system’s network connection to become slow or unresponsive by sending a high volume of traffic.

Privilege escalation techniques for Uncontrolled Resource Consumption

CPU or memory exhaustion leading to denial-of-service (DoS): If an attacker can cause a DoS condition on a system, it may be possible to gain access to higher privileges by exploiting the resulting instability or confusion.

Exploiting excessive permissions granted to a resource-consuming process: If a process that consumes excessive resources has been granted excessive permissions, an attacker may be able to exploit those permissions to gain access to higher privileges.

Heap overflow or other memory-based attacks: If a process consumes an excessive amount of memory and does not properly allocate or free it, this can lead to heap overflows or other memory-based vulnerabilities that an attacker can exploit to gain higher privileges.

Kernel resource exhaustion leading to kernel panic or other instability: If an attacker can cause a kernel panic or other instability by consuming excessive resources in the kernel, this can potentially be used to gain access to higher privileges.

Using malicious code running with elevated privileges and uncontrolled resource consumption to execute code with even higher privileges: If the malicious code is running with elevated privileges and is using uncontrolled resource consumption, it can be used to execute additional malicious code with even higher privileges.

Using uncontrolled resource consumption to accelerate password cracking: If a process with uncontrolled resource consumption can be used to perform a password cracking attack, it can lead to faster password cracking and ultimately to privilege escalation for the attacker.

Methodology and checklist on testing for Uncontrolled Resource Consumption

Методология:

  1. Identify potential sources of uncontrolled resource consumption in the system. This could include processes that run with elevated privileges, long-running or complex tasks, or inputs from untrusted sources.

  2. Create test scenarios that involve excessive resource consumption for each identified source. This could involve running processes that consume excessive CPU or memory resources, or submitting inputs that are excessively large or complex.

  3. Monitor system performance during the test scenarios to ensure that the system does not become unstable or crash.

  4. Use a debugger or profiling tool to identify where in the code the excessive resource consumption is occurring, and analyze the code to identify potential vulnerabilities.

  5. Verify that the system can recover from resource exhaustion or other adverse conditions caused by the excessive resource consumption.

  6. If vulnerabilities are identified, test possible exploitation scenarios to verify the risk and impact of the vulnerability.

  7. Document and report any vulnerabilities found, along with recommendations for mitigation or remediation.

Контрольный список:

  1. Identify potential sources of uncontrolled resource consumption

  2. Develop test scenarios for each source

  3. Monitor system performance during tests

  4. Use a debugger or profiling tool to analyze code

  5. Verify system recovery from resource exhaustion

  6. Test for possible exploitation scenarios

  7. Document and report vulnerabilities and recommendations

Tools for testing Uncontrolled Resource Consumption

Автоматизированные инструменты:

  • OWASP ZAP: An open-source web application security scanner that can identify uncontrolled resource consumption vulnerabilities and other security issues.

  • Burp Suite: A web application security testing toolkit that includes a scanner and other tools for testing for uncontrolled resource consumption and other vulnerabilities.

  • AppScan: An automated web application security testing tool that can identify uncontrolled resource consumption vulnerabilities and other issues.

  • Acunetix: An automated web application security testing tool that can detect uncontrolled resource consumption vulnerabilities and other issues.

  • Nessus: A vulnerability scanner that can identify uncontrolled resource consumption vulnerabilities and other security issues.

  • Metasploit: A penetration testing framework that includes tools for identifying and exploiting uncontrolled resource consumption vulnerabilities and other security issues.

  • Vega: An open-source web vulnerability scanner that can identify uncontrolled resource consumption vulnerabilities and other issues.

  • Skipfish: An active web application security reconnaissance tool that can identify uncontrolled resource consumption and other vulnerabilities.

  • Netsparker: An automated web application security scanner that can detect uncontrolled resource consumption vulnerabilities and other issues.

  • AppSpider: An automated web application security scanner that can identify uncontrolled resource consumption vulnerabilities and other issues.

  • W3af: An open-source web application security scanner that can detect uncontrolled resource consumption vulnerabilities and other issues.

  • OpenVAS: An open-source vulnerability scanner that can detect uncontrolled resource consumption vulnerabilities and other issues.

  • BeEF: A browser exploitation framework that can identify and exploit uncontrolled resource consumption and other vulnerabilities in web browsers.

  • Sqlmap: An open-source SQL injection testing tool that can identify uncontrolled resource consumption vulnerabilities and other issues.

  • IronWASP: A web application vulnerability scanner that can identify uncontrolled resource consumption vulnerabilities and other issues.

Ручные инструменты:

  • Nmap: A network scanner that can identify systems and services vulnerable to uncontrolled resource consumption attacks.

  • Fiddler: A web debugging proxy that can be used to identify and troubleshoot issues related to uncontrolled resource consumption in web applications.

  • Nikto: An open-source web server scanner that can identify uncontrolled resource consumption and other vulnerabilities.

  • Aircrack-ng: A wireless network security testing tool that can identify uncontrolled resource consumption and other vulnerabilities.

  • Kismet: A wireless network detection and analysis tool that can identify uncontrolled resource consumption and other vulnerabilities.

Avarage CVSS score Uncontrolled Resource Consumption

The Common Vulnerability Scoring System (CVSS) is a framework for assessing the severity of security vulnerabilities. The CVSS score takes into account several factors, including the impact and exploitability of the vulnerability.

The CVSS score for uncontrolled resource consumption vulnerabilities can vary widely depending on the specifics of the vulnerability and the context in which it occurs. However, such vulnerabilities are often considered to be high or critical severity, as they can allow attackers to cause resource exhaustion, denial-of-service, or other impacts that could have significant consequences.

It’s worth noting that the CVSS score is not the only metric that should be considered when assessing the severity of a vulnerability. Other factors, such as the likelihood of exploitation and the potential impact on an organization, should also be taken into account. Ultimately, it’s important to assess vulnerabilities in the context of a specific environment and determine the appropriate course of action based on that assessment.

CWE information about Uncontrolled Resource Consumption

There are several CWEs related to uncontrolled resource consumption, including:

CWE-400 is a Common Weakness Enumeration (CWE) category that covers vulnerabilities related to uncontrolled resource consumption, which can result in resource exhaustion. These types of vulnerabilities occur when an application fails to properly allocate or manage resources such as memory, network connections, file handles, or other system resources, leading to a denial-of-service (DoS) condition.

CWE-770: Allocation of Resources Without Limits or Throttling This CWE refers to the practice of allocating resources (such as memory or CPU cycles) without any form of limit or throttling, which can lead to resource exhaustion and denial-of-service conditions.

CWE-664: Improper Control of a Resource Through its Lifetime This CWE refers to vulnerabilities in which an application fails to properly manage the lifetime of a resource, such as memory or file handles, leading to issues such as memory leaks or file descriptor exhaustion.

CWE-125: Out-of-bounds Read This CWE occurs when an application reads data from a memory location that is outside the bounds of an array or buffer, leading to unpredictable behavior or crashes.

CWE-126: Buffer Over-read This CWE occurs when an application reads data from a buffer beyond the intended length, which can result in sensitive data exposure or crashes.

CWE-127: Buffer Under-read This CWE occurs when an application reads data from a buffer that is smaller than intended, leading to unpredictable behavior or crashes.

CWE-190: Integer Overflow or Wraparound This CWE occurs when an integer value exceeds its maximum possible value, which can lead to unpredictable behavior or crashes.

CWE-191: Integer Underflow (Wrap or Wraparound) This CWE occurs when an integer value becomes negative, which can lead to unpredictable behavior or crashes.

CWE-369: Divide By Zero This CWE occurs when an application attempts to divide by zero, which can lead to undefined behavior or crashes.

CWE-404: Improper Resource Shutdown or Release This CWE refers to vulnerabilities in which an application fails to properly release or shut down a resource, such as memory or file handles, leading to issues such as memory leaks or file descriptor exhaustion.

CWE-415: Double Free This CWE occurs when an application attempts to free a resource that has already been freed, leading to unpredictable behavior or crashes.

CWE-416: Use After Free This CWE occurs when an application attempts to use a resource that has already been freed, leading to unpredictable behavior or crashes.

CWE-617: Reachable Assertion This CWE occurs when an application asserts a condition that is not true, which can lead to unpredictable behavior or crashes.

CWE-665: Improper Initialization This CWE occurs when an application fails to properly initialize a resource, leading to unpredictable behavior or crashes.

CWE-666: Operation on Resource in Wrong Phase of Lifetime This CWE occurs when an application performs an operation on a resource that is not in the correct phase of its lifetime, leading to unpredictable behavior or crashes.

CWE-704: Incorrect Type Conversion or Cast This CWE occurs when an application performs an incorrect type conversion or cast, leading to unpredictable behavior or crashes.

CWE-758: Reliance on Undefined, Unspecified, or Implementation-defined Behavior This CWE occurs when an application relies on behavior that is undefined, unspecified, or implementation-defined, leading to unpredictable behavior or crashes.

CWE-788: Access of Memory Location After End of Buffer This CWE occurs when an application attempts to access memory beyond the end of a buffer, leading to unpredictable behavior or crashes.

Top 10 latests CVE related to Uncontrolled Resource Consumption

CVE-2023-24574 – Dell Enterprise SONiC OS, 3.5.3, 4.0.0, 4.0.1, 4.0.2, contains an “Uncontrolled Resource Consumption vulnerability” in authentication component. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to uncontrolled resource consumption by creating permanent home directories for unauthenticated users.

CVE-2023-22400 – An Uncontrolled Resource Consumption vulnerability in the PFE management daemon (evo-pfemand) of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause an FPC crash leading to a Denial of Service (DoS).

CVE-2023-22396 – An Uncontrolled Resource Consumption vulnerability in TCP processing on the Routing Engine (RE) of Juniper Networks Junos OS allows an unauthenticated network-based attacker to send crafted TCP packets destined to the device, resulting in an MBUF leak that ultimately leads to a Denial of Service (DoS). The system does not recover automatically and must be manually restarted to restore service.

CVE-2022-44608 – Uncontrolled resource consumption vulnerability in Cybozu Remote Service 4.0.0 to 4.0.3 allows a remote authenticated attacker to consume huge storage space, which may result in a denial-of-service (DoS) condition.

CVE-2022-40513 – Transient DOS due to uncontrolled resource consumption in WLAN firmware when peer is freed in non qos state.

CVE-2022-3818 – An uncontrolled resource consumption issue when parsing URLs in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to cause performance issues and potentially a denial of service on the GitLab instance.

CVE-2022-37312 – OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet.

CVE-2022-37311 – OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet.

CVE-2022-30691 – Uncontrolled resource consumption in the Intel(R) Support Android application before version 22.02.28 may allow an authenticated user to potentially enable denial of service via local access.

CVE-2022-29866 – OPC UA .NET Standard Stack 1.04.368 allows a remote attacker to exhaust the memory resources of a server via a crafted request that triggers Uncontrolled Resource Consumption.

Where to test for Uncontrolled Resource Consumption?

Some places where you might test for Uncontrolled Resource Consumption vulnerabilities include:

  • Web applications: Uncontrolled Resource Consumption vulnerabilities are commonly found in web applications, so it’s important to test for them in web application code and the underlying web server.

  • Network devices: Uncontrolled Resource Consumption vulnerabilities can also be present in network devices such as routers, switches, and firewalls. Testing in this area may involve sending large amounts of traffic to the device to determine if it can handle the load without running out of resources.

  • Mobile applications: Mobile applications can also be vulnerable to Uncontrolled Resource Consumption, so it’s important to test for these vulnerabilities in both the client-side code and the server-side infrastructure.

  • Operating systems: Uncontrolled Resource Consumption vulnerabilities can also occur in operating systems, especially in cases where the system is not properly configured to limit resource usage.

  • Databases: Uncontrolled Resource Consumption vulnerabilities can also occur in databases, especially in cases where poorly written queries or other inefficient database operations result in excessive resource usage.

Books with review of Uncontrolled Resource Consumption

“Безопасное кодирование на C и C ++” by Robert Seacord: This book provides a comprehensive guide to secure coding in C and C++, and includes a section on Uncontrolled Resource Consumption.

“The Art of Software Security Assessment” by Mark Dowd, John McDonald, and Justin Schuh: This book covers a wide range of software security topics, including Uncontrolled Resource Consumption.

“Безопасность веб-приложений, руководство для начинающих” by Bryan Sullivan: This book provides an overview of web application security, including a section on Uncontrolled Resource Consumption.

“Запутанная сеть: руководство по обеспечению безопасности современных веб-приложений” by Michal Zalewski: This book focuses on securing modern web applications, including a section on Uncontrolled Resource Consumption.

“Взломанные веб-приложения, третье издание” by Joel Scambray, Mike Shema, and Caleb Sima: This book provides a comprehensive guide to web application security, including a section on Uncontrolled Resource Consumption.

“Основы веб-взлома: инструменты и методы для атаки в Интернете” by Josh Pauli: This book is a beginner’s guide to web hacking and includes a section on Uncontrolled Resource Consumption.

“Black Hat Python: программирование на Python для хакеров и пентестеров” by Justin Seitz: This book focuses on Python programming for security professionals and includes a section on Uncontrolled Resource Consumption.

“Взлом серой шляпы: руководство этичного хакера, пятое издание” by Daniel Regalado, Shon Harris, and Allen Harper: This book provides an overview of hacking techniques, including Uncontrolled Resource Consumption, from an ethical hacker’s perspective.

“Руководство по тестированию OWASP v4.1” by OWASP: This is a comprehensive guide to web application security testing, and includes a section on testing for Uncontrolled Resource Consumption.

“Веб-безопасность для разработчиков: реальные угрозы, практическая защита” by Malcolm McDonald: This book provides an overview of web security, including a section on Uncontrolled Resource Consumption, for developers.

List of payloads suitable for Uncontrolled Resource Consumption

Here are some examples of payloads that can be used for testing Uncontrolled Resource Consumption vulnerabilities:

  • Large input data: sending large amounts of data to the application to see how it handles it.

  • Long execution time: sending a request that triggers a resource-intensive operation that takes a long time to complete, such as generating a large report.

  • Large file uploads: uploading files that are much larger than what the application can handle, to see how it responds.

  • Recursive calls: making recursive calls to a function or method to see how the application handles the recursion and the amount of resources it consumes.

  • Multiple parallel requests: sending multiple parallel requests to the application to see how it handles concurrent requests and if it consumes excessive resources.

  • Forced Garbage Collection: triggering the garbage collector to see how the application handles the reclaiming of memory resources.

  • Invalid input data: sending invalid or malformed input data to the application to see how it handles the errors and if it consumes excessive resources.

  • Endless loops: creating an infinite loop in the application to see how it handles it and how it consumes resources.

  • Истощение памяти: allocating large amounts of memory to an application to see if it can handle it and if it consumes excessive resources.

How to be protected from Uncontrolled Resource Consumption

  1. Проверка и очистка входных данных: Validate and sanitize all user input to ensure that it meets the expected format and is safe to use.

  2. Resource allocation and management: Implement proper resource allocation and management techniques to ensure that resources are used efficiently and that they are released when no longer needed.

  3. Throttling: Implement throttling mechanisms to limit the number of resources that can be requested within a given time period.

  4. Timeouts: Implement timeouts for resource requests to prevent them from consuming excessive amounts of time.

  5. Мониторинг: Monitor system performance to identify any unusual spikes in resource usage, which could be an indication of an Uncontrolled Resource Consumption attack.

  6. Hardening: Harden the system and its components, including the network, operating system, and applications, to reduce the risk of attack.

  7. Регулярные обновления: Keep all software up to date with the latest patches and security updates to address known vulnerabilities.

Mitigations for Uncontrolled Resource Consumption

  1. Setting resource limits can help to prevent resource exhaustion attacks by limiting the amount of resources that can be consumed by a single process or user. This can help prevent malicious actors from causing a denial-of-service (DoS) condition by consuming too many resources.

  2. Rate limiting can help prevent DoS attacks by limiting the number of requests that can be made within a certain period of time. This can help prevent a single user from overwhelming a system with too many requests.

  3. Validating user input can help prevent attackers from submitting input that could cause a resource exhaustion attack. This can involve checking the length of input or ensuring that it conforms to expected values.

  4. Implementing timeouts can help prevent resource exhaustion attacks by terminating processes that have been running for too long. This can help prevent a process from consuming too many resources and causing a DoS condition.

  5. Using memory-safe programming languages, such as Rust or Java, can help prevent buffer overflow and other memory-related vulnerabilities that can lead to resource exhaustion attacks.

  6. Resource pooling can help prevent resource exhaustion attacks by limiting the number of resources that can be consumed at any one time. This can involve sharing resources between multiple processes or users.

  7. Load balancing can help prevent DoS attacks by distributing traffic across multiple servers or resources. This can help prevent a single server or resource from becoming overwhelmed with too much traffic.

Заключение

Uncontrolled Resource Consumption is a type of vulnerability that can lead to Denial of Service (DoS) attacks. It is caused by a lack of proper resource management, which can allow attackers to consume all available resources, such as memory or disk space. This vulnerability can be found in a variety of software, including web applications, operating systems, and network devices. To prevent this type of vulnerability, developers and system administrators should implement proper resource management and input validation, as well as limit access to system resources. Additionally, regular security testing and vulnerability scanning can help identify and mitigate potential vulnerabilities.

Другие Услуги

Готовы к безопасности?

Связаться с нами