XX-Net WebSocket Frame Parsing Vulnerability Leading to Data Corruption

A WebSocket frame parsing vulnerability has been identified in XX-Net versions through 5.16.6. The issue resides in the WebSocket_receive_worker function of simple_http_server.py. The vulnerability allows attackers to corrupt application data by sending unmasked WebSocket frames. The server improperly reads 4 bytes as a masking key, regardless of the MASK bit's status in the frame header. This flaw causes the first 4 bytes of the payload to be misinterpreted as a mask key, leading to incorrect XOR-decoding of the remaining payload and resulting in data corruption. Additionally, the vulnerability bypasses essential validations for the RSV bits, opcode, and FIN fragmentation.

Impact

Exploitation of this vulnerability causes data corruption by misinterpreting WebSocket frame payloads. The first 4 bytes of an unmasked frame are incorrectly read as a masking key, disrupting the intended data transmission. This corruption occurs without any indication of error, as the WebSocket_on_message function does not receive the altered payload. The vulnerability's severity is considered low, with the default binding to localhost (127.0.0.1). However, this risk increases if the 'Allow Remote' option is enabled, binding the server to all interfaces (0.0.0.0).

Reproduction

To reproduce this vulnerability, send an unmasked WebSocket frame to a server running XX-Net version 5.16.6 or prior. The server will incorrectly process the frame by reading the first 4 bytes of the payload as a masking key, leading to improper XOR-decoding of the remaining data. This can be done using a WebSocket client that allows manipulation of the frame masking.

Remediation

Users can update to XX-Net version 5.16.6 or later, where this vulnerability has been fixed.