CVE-2024-47535 - Netty's Windows Environment File DOS Vulnerability—Explained with Exploit Example

---

Netty is a super popular Java networking framework—tons of services and apps (from databases to messaging platforms) depend on it for high-performance, asynchronous networking. But in May 2024, the Netty team patched a critical Denial of Service (DOS) vulnerability affecting Windows systems: CVE-2024-47535. This bug lets attackers crash Netty-based applications by exploiting the way Netty tries to read a system file. In this post, we’ll break down the bug in simple language, show a proof-of-concept exploit, and offer advice on staying secure.

What Is CVE-2024-47535?

When running on Windows, Netty tries to load a file called nul (Windows’s special “null device,” similar to /dev/null on Linux) to read environment information. The problem? If nul does not exist as a real file, Windows will happily open a file by that name. If an attacker creates a real file called nul (which you can do in weird ways or via file sharing/mapping) and fills it with a huge amount of data, Netty blindly tries to read it all into memory. The application’s memory explodes, and it crashes. Boom—Denial of Service.

This was fixed in Netty 4.1.115.Final.

Memory explodes; out-of-memory crash.

Even if your Netty app doesn't actually process client requests, just starting it up in a bad environment is enough.

Simple Exploit Example

*Let’s see a Java code snippet that demonstrates the vulnerable behavior:*

import java.io.*;
import java.nio.file.*;

public class NettyEnvBugDemo {
    public static void main(String[] args) throws IOException {
        // Simulate Netty reading 'nul' as a file on Windows
        Path nulPath = Paths.get("nul");
        if (Files.exists(nulPath)) {
            byte[] data = Files.readAllBytes(nulPath); // Unsafe: reads everything!
            System.out.println("Read " + data.length + " bytes from 'nul'");
        } else {
            System.out.println("'nul' file does not exist.");
        }
    }
}

To exploit

1. On a Windows system, create a huge file named nul (e.g., with fsutil file createnew nul 500000000).

Watch the process crash or hang consuming all memory.

Note: Actually creating nul as a file on Windows is tricky because it's a reserved device. But in some scenarios (network shares, symlink tricks, or if the code runs in a container/SMB mount), it's possible. On non-Windows systems or with patched Netty, this won’t work.

Netty’s Fix

The Netty 4.1.115 release notes describe the fix:
> "Ensure that reading environment files on Windows does not allow for unbounded memory allocation if 'nul' exists as a real file."

This means newer versions check file size, handle unexpected files named nul, and avoid loading potentially malicious data this way.

Upgrade Netty to 4.1.115.Final or later

Download here: https://github.com/netty/netty/releases/tag/netty-4.1.115.Final

Original References

- Official Netty Security Advisory
- Netty 4.1.115.Final Release Notes
- NVD Entry CVE-2024-47535

Final Thoughts

CVE-2024-47535 could have allowed simple denial-of-service attacks on countless Java and Kotlin apps depending on Netty, especially on Windows cloud & server environments. The patch is out, so update ASAP and audit your file access policies. Don’t wait for a DOS attack to learn the hard way.

If you enjoyed this deep dive or want more real-world Java security breakdowns, let me know!

Timeline

Published on: 11/12/2024 16:15:22 UTC
Last modified on: 11/13/2024 17:01:58 UTC