NanaZip Denial-of-Service Vulnerability in LittleFS Filesystem Image Parser

A denial-of-service vulnerability has been identified in NanaZip versions 5.0.1252.0 prior to 6.0.1698.0. The issue arises in the LittleFS filesystem image parser, where the 'Open' method reads 'BlockCount' directly from the superblock without validating it against the actual file size or imposing an upper limit. This oversight allows for exploitation by crafting a 44-byte LittleFS image with a 'BlockCount' of 0xFFFFFFFF, leading to approximately 4 billion heap allocations and exhausting available memory. The vulnerability is triggered during the 'IInArchive::Open()' process, before any user interaction is required.

Impact

Exploitation of this vulnerability causes unbounded memory consumption, with the system gradually exhausting available resources and swapping, which can degrade the performance of all running applications. The LittleFS handler is registered for the '.littlefs' file extension, and NanaZip's MSIX manifest declares wildcard file association, allowing the crafted file to be opened without additional user interaction.

Reproduction

To reproduce this vulnerability, create a LittleFS image file that is 44 bytes in size and set the 'BlockCount' value to 0xFFFFFFFF. When this file is opened with NanaZip, it will trigger the vulnerability by causing the application to hang while consuming excessive memory and CPU resources. Alternatively, a less aggressive 'BlockCount' value, such as 0x10000, can be used to confirm that the vulnerability exists without causing a complete system hang.

Remediation

Users can upgrade to NanaZip version 6.0.1698.0 or later, where this vulnerability has been fixed. For those who cannot upgrade, a workaround is to manually validate the 'BlockSize' and 'BlockCount' values against the actual stream length before processing the LittleFS image.