CVE-2018-6335

Step 1: Payload Delivery: An attacker crafts a malicious HTTP/2 frame. This frame is designed to exploit the vulnerability in HHVM's HTTP/2 implementation. Step 2: Malformed Priority Metadata: The crafted frame contains malformed priority metadata. This metadata is specifically designed to trigger the std::out_of_range exception. Step 3: Frame Processing: The HHVM server, using the proxygen server, receives and begins processing the malicious HTTP/2 frame. Step 4: Parsing Error: During the parsing of the priority metadata, the server encounters the malformed data. Step 5: Exception Trigger: Due to the malformed data, the parsing logic attempts to access memory outside of the allocated bounds, triggering the std::out_of_range exception. Step 6: Denial of Service: The unhandled exception causes the HHVM process to crash, resulting in a denial-of-service condition, making the server unavailable to legitimate users.

The vulnerability lies within HHVM's handling of HTTP/2 priority frames, specifically within the proxygen server component. The root cause is a lack of proper input validation when parsing the priority metadata within these frames. When a malformed frame is received, the parsing logic attempts to access an invalid memory location, leading to an std::out_of_range exception. This exception, if unhandled, causes the HHVM process to terminate, resulting in a DoS. The flaw is likely related to incorrect bounds checking or integer overflow issues when processing the priority data, potentially allowing an attacker to specify values that exceed the allocated memory or data structures. The use of std::out_of_range indicates a problem with indexing or accessing data structures, suggesting a potential for an out-of-bounds read or write.