Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Talos Security Advisory for Shadowsocks-libev 3.3.2 (TALOS-2019-0956) #2536
Shadowsocks-libev ss-server UdpRelay Denial-of-Service Vulnerability
An exploitable denial-of-service vulnerability exists in the UDPRelay functionality of Shadowsocks-libev 3.3.2. When utilizing a Stream Cipher and a
5.9 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-306: Missing Authentication for Critical Function
Shadowsocks is a multi-platform and easy to use socks proxy with a focus on censorship evasion, thus highly popular in countries with restrictive internet policies. For the purposes of this advisory, we will be focusing on Shadowsocks-libev, a pure C implementation for lower end and embedded devices.
For a basic usecase and overview of ShadowSocks-libev, a setup like the following is required:
A given laptop or home network will have an
To get more specific into what attack surface is being examined (since there's 2 ports for both
It is very important to note that this particular vulnerability is only exploitable if three conditions are met.
First, ss-server must be using a stream cipher. Depending on the cipher mode chosen, encryption and decryption can be done many ways, but the most important decision is whether to use a stream cipher or an AEAD cipher. Normal stream ciphers only provide confidentiality and no sort of authentication or integrity checks, unlike the AEAD ciphers which provide all three. As mentioned in the documentation, it is recommended that users use AEAD ciphers whenever possible: https://shadowsocks.org/en/spec/AEAD-Ciphers.html, and this advisory will hopefully demonstrate another reason why.
The second precondition needed is that the user is using the UDPRelay functionality.
The third precondition is either that the
Assuming that these three conditions (udprelay, local_address, stream cipher), an attacker can spam arbitrary UDP data to the ss-server and it will exit on its own:
The code involved in this exit can be found around
If the address given by the udp back matches that of the configuration option (in this case "127.0.0.1"), then all is fine:
But if the socket parameters passed are all 0, the error occurs:
2019-11-08 - Vendor Disclosure