Ackites KillWxapkg Denial-of-Service Vulnerability via Malicious wxapkg File

A denial-of-service vulnerability has been identified in Ackites KillWxapkg versions through 2.4.1. The issue arises from the wxapkg file format, which is used for WeChat Mini Program packages. Specifically, the vulnerability is related to the file decompression handler, which lacks proper validation of internal file size metadata. This oversight allows an attacker to craft a wxapkg file that appears small but expands significantly during unpacking, leading to excessive disk space and memory usage. The vulnerability can be exploited remotely, although the attack's complexity is considered high.

Impact

Exploitation of this vulnerability causes resource exhaustion, similar to a zip bomb effect, leading to unusually high disk space usage and excessive memory consumption.

Reproduction

The vulnerability can be reproduced by creating a malicious wxapkg file that exploits the lack of size validation in the file format. This can be done by crafting a file that appears small but unpacks into a large size, consuming excessive resources. The provided proof-of-concept code demonstrates how to create such a file and unpack it, causing the resource exhaustion.

Remediation

It is recommended to enforce strict limits on the number of files unpacked from a wxapkg, as well as to set a maximum directory or nesting depth during the unpacking process.