Login Sign Up

CVE-2020-35579

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in tindy2013 subconverter allows attackers to create a denial of service condition by exploiting a request loop in the /sub API endpoint. An attacker can craft a malicious URL that redirects back to the same endpoint, causing infinite recursion and resource exhaustion. This affects anyone running subconverter 0.6.4 with the vulnerable API endpoint exposed.

💻 Affected Systems

Products:
  • tindy2013 subconverter
Versions: 0.6.4
Operating Systems: All platforms running subconverter
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems where the /sub API endpoint is accessible. The vulnerability exists in the core URL handling logic.

📦 What is this software?

Subconverter by Subconverter Project

View all CVEs affecting Subconverter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion (CPU, memory, network) from infinite request loops, potentially affecting other services on the same host.

🟠

Likely Case

Service degradation or temporary unavailability until the loop is manually stopped or resources are exhausted.

🟢

If Mitigated

Minimal impact if proper network segmentation and rate limiting are implemented.

🌐 Internet-Facing: HIGH - The vulnerable endpoint accepts arbitrary URLs and can be triggered remotely without authentication.
🏢 Internal Only: MEDIUM - Still exploitable by internal users or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The exploit is simple to craft - just a URL that redirects to the vulnerable endpoint. Public discussion exists in GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.7.0 or later

Vendor Advisory: https://github.com/tindy2013/subconverter/issues/284

Restart Required: Yes

Instructions:

1. Stop subconverter service. 2. Update to version 0.7.0 or later from GitHub releases. 3. Restart subconverter service.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict access to the /sub API endpoint using firewall rules or reverse proxy configuration.

iptables -A INPUT -p tcp --dport [subconverter-port] -s [trusted-networks] -j ACCEPT
iptables -A INPUT -p tcp --dport [subconverter-port] -j DROP

Rate Limiting

all

Implement rate limiting on the /sub endpoint to prevent request loops from consuming all resources.

nginx: limit_req_zone $binary_remote_addr zone=subconverter:10m rate=10r/s;
apache: SetEnvIf Request_URI "^/sub" RATELIMIT=1

🧯 If You Can't Patch

  • Disable or restrict access to the /sub API endpoint entirely
  • Implement strict input validation to reject URLs containing the vulnerable endpoint's address

🔍 How to Verify

Check if Vulnerable:

Check if running version 0.6.4 and if /sub endpoint is accessible. Test with curl: curl -v 'http://[host]:[port]/sub?target=clash&url=http://localhost:[port]/sub&config='

Check Version:

./subconverter --version or check the web interface

Verify Fix Applied:

Verify version is 0.7.0 or later and test the same curl command - should not cause infinite loops.

📡 Detection & Monitoring

Log Indicators:

  • Rapid repeated requests to /sub endpoint
  • High CPU/memory usage patterns
  • Error logs showing redirect loops

Network Indicators:

  • Unusual traffic patterns with recursive redirects
  • High volume of requests to single endpoint

SIEM Query:

source="subconverter.log" AND "GET /sub" | stats count by src_ip | where count > 100

📊 Metadata

CVE ID: CVE-2020-35579
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: December 20, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON